Issue #3057314 by alexpott, chr.fritsch, larowlan: Harden hash checking in core
Lee Rowlands
parent
20496dd2e7
commit
cf939a5dc0
|
|
@ -679,7 +679,7 @@ function drupal_valid_test_ua($new_prefix = NULL) {
|
||||||
$test_hmac = Crypt::hmacBase64($check_string, $key);
|
$test_hmac = Crypt::hmacBase64($check_string, $key);
|
||||||
// Since we are making a local request a 600 second time window is allowed,
|
// Since we are making a local request a 600 second time window is allowed,
|
||||||
// and the HMAC must match.
|
// and the HMAC must match.
|
||||||
if ($time_diff >= 0 && $time_diff <= 600 && $hmac === $test_hmac) {
|
if ($time_diff >= 0 && $time_diff <= 600 && Crypt::hashEquals($test_hmac, $hmac)) {
|
||||||
$test_prefix = $prefix;
|
$test_prefix = $prefix;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
|
|
||||||
|
|
@ -110,7 +110,8 @@ class ManagedFile extends FormElement {
|
||||||
// token added by $this->processManagedFile().
|
// token added by $this->processManagedFile().
|
||||||
elseif (\Drupal::currentUser()->isAnonymous()) {
|
elseif (\Drupal::currentUser()->isAnonymous()) {
|
||||||
$token = NestedArray::getValue($form_state->getUserInput(), array_merge($element['#parents'], ['file_' . $file->id(), 'fid_token']));
|
$token = NestedArray::getValue($form_state->getUserInput(), array_merge($element['#parents'], ['file_' . $file->id(), 'fid_token']));
|
||||||
if ($token !== Crypt::hmacBase64('file-' . $file->id(), \Drupal::service('private_key')->get() . Settings::getHashSalt())) {
|
$file_hmac = Crypt::hmacBase64('file-' . $file->id(), \Drupal::service('private_key')->get() . Settings::getHashSalt());
|
||||||
|
if ($token === NULL || !Crypt::hashEquals($file_hmac, $token)) {
|
||||||
$force_default = TRUE;
|
$force_default = TRUE;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -109,7 +109,7 @@ class ImageStyleDownloadController extends FileDownloadController {
|
||||||
// starts with styles/.
|
// starts with styles/.
|
||||||
$valid = !empty($image_style) && $this->streamWrapperManager->isValidScheme($scheme);
|
$valid = !empty($image_style) && $this->streamWrapperManager->isValidScheme($scheme);
|
||||||
if (!$this->config('image.settings')->get('allow_insecure_derivatives') || strpos(ltrim($target, '\/'), 'styles/') === 0) {
|
if (!$this->config('image.settings')->get('allow_insecure_derivatives') || strpos(ltrim($target, '\/'), 'styles/') === 0) {
|
||||||
$valid &= $request->query->get(IMAGE_DERIVATIVE_TOKEN) === $image_style->getPathToken($image_uri);
|
$valid &= Crypt::hashEquals($image_style->getPathToken($image_uri), $request->query->get(IMAGE_DERIVATIVE_TOKEN, ''));
|
||||||
}
|
}
|
||||||
if (!$valid) {
|
if (!$valid) {
|
||||||
// Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the
|
// Return a 404 (Page Not Found) rather than a 403 (Access Denied) as the
|
||||||
|
|
|
||||||
|
|
@ -87,7 +87,7 @@ class EntityAutocompleteController extends ControllerBase {
|
||||||
$selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
|
$selection_settings = $this->keyValue->get($selection_settings_key, FALSE);
|
||||||
if ($selection_settings !== FALSE) {
|
if ($selection_settings !== FALSE) {
|
||||||
$selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
|
$selection_settings_hash = Crypt::hmacBase64(serialize($selection_settings) . $target_type . $selection_handler, Settings::getHashSalt());
|
||||||
if ($selection_settings_hash !== $selection_settings_key) {
|
if (!Crypt::hashEquals($selection_settings_hash, $selection_settings_key)) {
|
||||||
// Disallow access when the selection settings hash does not match the
|
// Disallow access when the selection settings hash does not match the
|
||||||
// passed-in key.
|
// passed-in key.
|
||||||
throw new AccessDeniedHttpException('Invalid selection settings key.');
|
throw new AccessDeniedHttpException('Invalid selection settings key.');
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue