diff --git a/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php b/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php index 3c5d55d..c7e6feb 100644 --- a/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php +++ b/core/lib/Drupal/Component/PhpStorage/MTimeProtectedFastFileStorage.php @@ -2,6 +2,8 @@ namespace Drupal\Component\PhpStorage; +use Drupal\Component\Utility\Crypt; + /** * Stores PHP code in files with securely hashed names. * @@ -130,7 +132,7 @@ public function getFullPath($name, &$directory = NULL, &$directory_mtime = NULL) if (!isset($directory_mtime)) { $directory_mtime = file_exists($directory) ? filemtime($directory) : 0; } - return $directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php'; + return $directory . '/' . Crypt::hmacBase64($name, $this->secret . $directory_mtime) . '.php'; } /** @@ -225,7 +227,7 @@ protected function getUncachedMTime($directory) { */ protected function tempnam($directory, $prefix) { do { - $path = $directory . '/' . $prefix . substr(str_shuffle(hash('sha256', microtime())), 0, 10); + $path = $directory . '/' . $prefix . Crypt::randomBytesBase64(20); } while (file_exists($path)); return $path; } diff --git a/core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageBase.php b/core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageBase.php index 64d17eb..af9fa05 100644 --- a/core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageBase.php +++ b/core/tests/Drupal/Tests/Component/PhpStorage/MTimeProtectedFileStorageBase.php @@ -2,6 +2,8 @@ namespace Drupal\Tests\Component\PhpStorage; +use Drupal\Component\Utility\Crypt; + /** * Base test class for MTime protected storage. */ @@ -77,7 +79,7 @@ public function testSecurity() { $expected_directory = $expected_root_directory . '/' . $name; } $directory_mtime = filemtime($expected_directory); - $expected_filename = $expected_directory . '/' . hash_hmac('sha256', $name, $this->secret . $directory_mtime) . '.php'; + $expected_filename = $expected_directory . '/' . Crypt::hmacBase64($name, $this->secret . $directory_mtime) . '.php'; // Ensure the file exists and that it and the containing directory have // minimal permissions. fileperms() can return high bits unrelated to