Closed neclimdul closed 4 years ago
pwolanin
commented
9 years ago Sure - for pressflow we could also swap in hash_hmac('sha1') to the core change - core is still maintaining nominal php 4 compatibility so doesn't use hash_hmac or the raw param of sha1.
neclimdul
commented
9 years ago Yeah, I was surprised that wasn't there but I guess it was just a quick merge of the security fix.
pwolanin
commented
9 years ago The branch as is doesn't seem to fix up the drupal_hmac_bas64 function. It can just be:
function drupal_hmac_base64($data, $key) {
// Casting $data and $key to strings here is necessary to avoid empty string
// results of the hash function if they are not scalar values. As this
// function is used in security-critical contexts like token validation it is
// important that it never returns an empty string.
$hmac = base64_encode(hash_hmac('sha1',(string) $data, (string) $key, TRUE));
// Modify the hmac so it's safe to use in URLs.
return strtr($hmac, array('+' => '-', '/' => '_', '=' => ''));
}which eliminates the pack() call. Doesn't matter much since this is minmally used in core.
So here's a thing, I didn't really look for the link but long ago there was a this discussion in the simpletest queue to fix 500 errors because drupal_base64_encode makes values invalid in headers. Now core has backported HMAC method that creates valid values so we can use it.