Commit a251c2da authored by catch's avatar catch

Issue #2830596 by pwolanin, YesCT, alexpott:...

Issue #2830596 by pwolanin, YesCT, alexpott: MTimeProtectedFastFileStorage::getFullPath() creates really long filenames unnecessarily
parent 44adac7a
......@@ -2,6 +2,8 @@
namespace Drupal\Component\PhpStorage;
use Drupal\Component\Utility\Crypt;
/**
* Stores PHP code in files with securely hashed names.
*
......@@ -130,7 +132,7 @@ public function getFullPath($name, &$directory = NULL, &$directory_mtime = NULL)
if (!isset($directory_mtime)) {
$directory_mtime = file_exists($directory) ? filemtime($directory) : 0;
}
return $directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php';
return $directory . '/' . Crypt::hmacBase64($name, $this->secret . $directory_mtime) . '.php';
}
/**
......@@ -225,7 +227,7 @@ protected function getUncachedMTime($directory) {
*/
protected function tempnam($directory, $prefix) {
do {
$path = $directory . '/' . $prefix . substr(str_shuffle(hash('sha256', microtime())), 0, 10);
$path = $directory . '/' . $prefix . Crypt::randomBytesBase64(20);
} while (file_exists($path));
return $path;
}
......
......@@ -57,3 +57,11 @@ function system_post_update_add_region_to_entity_displays() {
array_map($entity_save, EntityViewDisplay::loadMultiple());
array_map($entity_save, EntityFormDisplay::loadMultiple());
}
/**
* Force Twig PHP file cache to be cleared.
*/
function system_post_update_clear_twig_cache() {
// Empty post-update hook.
}
......@@ -2,6 +2,8 @@
namespace Drupal\Tests\Component\PhpStorage;
use Drupal\Component\Utility\Crypt;
/**
* Base test class for MTime protected storage.
*/
......@@ -77,7 +79,7 @@ public function testSecurity() {
$expected_directory = $expected_root_directory . '/' . $name;
}
$directory_mtime = filemtime($expected_directory);
$expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php';
$expected_filename = $expected_directory . '/' . Crypt::hmacBase64($name, $this->secret . $directory_mtime) . '.php';
// Ensure the file exists and that it and the containing directory have
// minimal permissions. fileperms() can return high bits unrelated to
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment