diff --git includes/actions.inc includes/actions.inc index 77734fe..56c94a4 100644 --- includes/actions.inc +++ includes/actions.inc @@ -197,7 +197,7 @@ function actions_get_all_actions() { } /** - * Creates an associative array keyed by md5 hashes of function names or IDs. + * Creates an associative array keyed by hashes of function names or IDs. * * Hashes are used to prevent actual function names from going out into HTML * forms and coming back. @@ -207,14 +207,14 @@ function actions_get_all_actions() { * and associative arrays with keys 'label', 'type', etc. as values. * This is usually the output of actions_list() or actions_get_all_actions(). * @return - * An associative array whose keys are md5 hashes of the input array keys, and + * An associative array whose keys are hashes of the input array keys, and * whose corresponding values are associative arrays with components * 'callback', 'label', 'type', and 'configurable' from the input array. */ function actions_actions_map($actions) { $actions_map = array(); foreach ($actions as $callback => $array) { - $key = md5($callback); + $key = drupal_hash_base64($callback); $actions_map[$key]['callback'] = isset($array['callback']) ? $array['callback'] : $callback; $actions_map[$key]['label'] = $array['label']; $actions_map[$key]['type'] = $array['type']; @@ -224,12 +224,12 @@ function actions_actions_map($actions) { } /** - * Given an md5 hash of an action array key, returns the key (function or ID). + * Given a hash of an action array key, returns the key (function or ID). * * Faster than actions_actions_map() when you only need the function name or ID. * * @param $hash - * MD5 hash of a function name or action ID array key. The array key + * Hash of a function name or action ID array key. The array key * is a key into the return value of actions_list() (array key is the action * function name) or actions_get_all_actions() (array key is the action ID). * @return @@ -239,13 +239,20 @@ function actions_function_lookup($hash) { // Check for a function name match. $actions_list = actions_list(); foreach ($actions_list as $function => $array) { - if (md5($function) == $hash) { + if (drupal_hash_base64($function) == $hash) { return $function; } } - + $aid = FALSE; // Must be a configurable action; check database. - return db_query("SELECT aid FROM {actions} WHERE MD5(aid) = :hash AND parameters <> ''", array(':hash' => $hash))->fetchField(); + $result = db_query("SELECT aid FROM {actions} WHERE parameters <> ''")->fetchAll(PDO::FETCH_ASSOC); + foreach ($result as $row) { + if (drupal_hash_base64($row['aid']) == $hash) { + $aid = $row['aid']; + break; + } + } + return $aid; } /** diff --git includes/bootstrap.inc includes/bootstrap.inc index 2f69743..43bd4b5 100644 --- includes/bootstrap.inc +++ includes/bootstrap.inc @@ -622,7 +622,7 @@ function drupal_settings_initialize() { ini_set('session.cookie_secure', TRUE); } $prefix = ini_get('session.cookie_secure') ? 'SSESS' : 'SESS'; - session_name($prefix . md5($session_name)); + session_name($prefix . substr(hash('sha256', $session_name), 0, 32)); } /** @@ -1709,6 +1709,91 @@ function drupal_block_denied($ip) { } /** + * Returns a string of highly randomized bytes (over the full 8-bit range). + * + * This function is better than simply calling mt_rand() or any other built-in + * PHP function because it can return a long string of bytes (compared to < 4 + * bytes normally from mt_rand()) and uses the best available pseudo-random source. + * + * @param $count + * The number of characters (bytes) to return in the string. + */ +function drupal_random_bytes($count) { + // $random_state does not use drupal_static as it stores random bytes. + static $random_state, $bytes; + // Initialize on the first call. The contents of $_SERVER includes a mix of + // user-specific and system information that varies a little with each page. + if (!isset($random_state)) { + $random_state = print_r($_SERVER, TRUE); + if (function_exists('getmypid')) { + // further initialize with the somewhat random PHP process ID. + $random_state .= getmypid(); + } + $bytes = ''; + } + if (strlen($bytes) < $count) { + // /dev/urandom is available on many *nix systems and is considered the + // best commonly available pseudo-random source. + if ($fh = @fopen('/dev/urandom', 'rb')) { + // PHP only performs buffered reads, so in reality it will always read + // at least 4096 bytes. Thus, it costs nothing extra to read and store + // that much so as to speed any additional invocations. + $bytes .= fread($fh, max(4096, $count)); + fclose($fh); + } + // If /dev/urandom is not available or returns no bytes, this loop will + // generate a good set of pseudo-random bytes on any system. + // Note that it may be important that our $random_state is passed + // through hash() prior to being rolled into $output, that the two hash() + // invocations are different, and that the extra input into the first one - + // the microtime() - is prepended rather than appended. This is to avoid + // directly leaking $random_state via the $output stream, which could + // allow for trivial prediction of further "random" numbers. + while (strlen($bytes) < $count) { + $random_state = hash('sha256', microtime() . mt_rand() . $random_state); + $bytes .= hash('sha256', mt_rand() . $random_state, TRUE); + } + } + $output = substr($bytes, 0, $count); + $bytes = substr($bytes, $count); + return $output; +} + +/** + * Calculate a base-64 encoded, URL-safe sha-256 hmac. + * + * @param $data + * String to be validated with the hmac. + * @param $key + * A secret string key. + * + * @return + * A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and + * any = padding characters removed. + */ +function drupal_hmac_base64($data, $key) { + $hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE)); + // Modify the hmac so it's safe to use in URLs. + return strtr($hmac, array('+' => '-', '/' => '_', '=' => '')); +} + +/** + * Calculate a base-64 encoded, URL-safe sha-256 hash. + * + * @param $data + * String to be hashed. + * + * @return + * A base-64 encoded sha-256 hash, with + replaced with -, / with _ and + * any = padding characters removed. + */ +function drupal_hash_base64($data) { + $hash = base64_encode(hash('sha256', $data, TRUE)); + // Modify the hash so it's safe to use in URLs. + return strtr($hash, array('+' => '-', '/' => '_', '=' => '')); +} + +/** * Generates a default anonymous $user object. * * @return Object - the user object. @@ -2028,7 +2113,7 @@ function drupal_valid_test_ua($user_agent) { $filepath = DRUPAL_ROOT . '/includes/bootstrap.inc'; $key = sha1(serialize($databases) . filectime($filepath) . fileinode($filepath), TRUE); // The HMAC must match. - return $hmac == base64_encode(hash_hmac('sha1', $check_string, $key, TRUE)); + return $hmac == drupal_hmac_base64($check_string, $key); } /** @@ -2048,7 +2133,7 @@ function drupal_generate_test_ua($prefix) { // Generate a moderately secure HMAC based on the database credentials. $salt = uniqid('', TRUE); $check_string = $prefix . ';' . time() . ';' . $salt; - return $check_string . ';' . base64_encode(hash_hmac('sha1', $check_string, $key, TRUE)); + return $check_string . ';' . drupal_hmac_base64($check_string, $key); } /** diff --git includes/common.inc includes/common.inc index d5a394d..7096822 100644 --- includes/common.inc +++ includes/common.inc @@ -2877,7 +2877,7 @@ function drupal_aggregate_css(&$css_groups) { if ($group['preprocess'] && $preprocess_css) { // Prefix filename to prevent blocking by firewalls which reject files // starting with "ad*". - $filename = 'css_' . md5(serialize($group['items'])) . '.css'; + $filename = 'css_' . drupal_hash_base64(serialize($group['items'])) . '.css'; $css_groups[$key]['data'] = drupal_build_css_cache($group['items'], $filename); } break; @@ -3749,7 +3749,7 @@ function drupal_get_js($scope = 'header', $javascript = NULL) { // Prefix filename to prevent blocking by firewalls which reject files // starting with "ad*". foreach ($files as $key => $file_set) { - $filename = 'js_' . md5(serialize($file_set)) . '.js'; + $filename = 'js_' . drupal_hash_base64(serialize($file_set)) . '.js'; $uri = drupal_build_js_cache($file_set, $filename); // Only include the file if was written successfully. Errors are logged // using watchdog. @@ -4235,45 +4235,6 @@ function drupal_json_output($var = NULL) { } /** - * Returns a string of highly randomized bytes (over the full 8-bit range). - * - * This function is better than simply calling mt_rand() or any other built-in - * PHP function because it can return a long string of bytes (compared to < 4 - * bytes normally from mt_rand()) and uses the best available pseudo-random source. - * - * @param $count - * The number of characters (bytes) to return in the string. - */ -function drupal_random_bytes($count) { - // $random_state does not use drupal_static as it stores random bytes. - static $random_state; - // We initialize with the somewhat random PHP process ID on the first call. - if (empty($random_state)) { - $random_state = getmypid(); - } - $output = ''; - // /dev/urandom is available on many *nix systems and is considered the best - // commonly available pseudo-random source. - if ($fh = @fopen('/dev/urandom', 'rb')) { - $output = fread($fh, $count); - fclose($fh); - } - // If /dev/urandom is not available or returns no bytes, this loop will - // generate a good set of pseudo-random bytes on any system. - // Note that it may be important that our $random_state is passed - // through md5() prior to being rolled into $output, that the two md5() - // invocations are different, and that the extra input into the first one - - // the microtime() - is prepended rather than appended. This is to avoid - // directly leaking $random_state via the $output stream, which could - // allow for trivial prediction of further "random" numbers. - while (strlen($output) < $count) { - $random_state = md5(microtime() . mt_rand() . $random_state); - $output .= md5(mt_rand() . $random_state, TRUE); - } - return substr($output, 0, $count); -} - -/** * Get a salt useful for hardening against SQL injection. * * @return @@ -4283,7 +4244,7 @@ function drupal_get_hash_salt() { global $drupal_hash_salt, $databases; // If the $drupal_hash_salt variable is empty, a hash of the serialized // database credentials is used as a fallback salt. - return empty($drupal_hash_salt) ? sha1(serialize($databases)) : $drupal_hash_salt; + return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt; } /** @@ -4294,7 +4255,7 @@ function drupal_get_hash_salt() { */ function drupal_get_private_key() { if (!($key = variable_get('drupal_private_key', 0))) { - $key = md5(drupal_random_bytes(64)); + $key = drupal_hash_base64(drupal_random_bytes(64)); variable_set('drupal_private_key', $key); } return $key; @@ -4307,10 +4268,7 @@ function drupal_get_private_key() { * An additional value to base the token on. */ function drupal_get_token($value = '') { - $private_key = drupal_get_private_key(); - // A single md5() is vulnerable to length-extension attacks, so use it twice. - // @todo: add md5 and sha1 hmac functions to core. - return md5(drupal_get_hash_salt() . md5(session_id() . $value . $private_key)); + return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt()); } /** @@ -5194,7 +5152,7 @@ function drupal_render_cache_set(&$markup, $elements) { function drupal_render_cache_by_query($query, $function, $expire = CACHE_TEMPORARY, $granularity = NULL) { $cache_keys = array_merge(array($function), drupal_render_cid_parts($granularity)); $query->preExecute(); - $cache_keys[] = md5(serialize(array((string) $query, $query->getArguments()))); + $cache_keys[] = hash('sha256', serialize(array((string) $query, $query->getArguments()))); return array( '#query' => $query, '#pre_render' => array($function . '_pre_render'), diff --git includes/form.inc includes/form.inc index 82835a7..407c8d0 100644 --- includes/form.inc +++ includes/form.inc @@ -203,7 +203,7 @@ function drupal_build_form($form_id, &$form_state) { } $form = drupal_retrieve_form($form_id, $form_state); - $form_build_id = 'form-' . md5(uniqid(mt_rand(), TRUE)); + $form_build_id = 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand()); $form['#build_id'] = $form_build_id; // Fix the form method, if it is 'get' in $form_state, but not in $form. @@ -331,7 +331,7 @@ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) { // Otherwise, a new #build_id is generated, to not clobber the previous // build's data in the form cache; also allowing the user to go back to an // earlier build, make changes, and re-submit. - $form['#build_id'] = isset($old_form['#build_id']) ? $old_form['#build_id'] : 'form-' . md5(mt_rand()); + $form['#build_id'] = isset($old_form['#build_id']) ? $old_form['#build_id'] : 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand()); // #action defaults to request_uri(), but in case of AJAX and other partial // rebuilds, the form is submitted to an alternate URL, and the original diff --git includes/install.core.inc includes/install.core.inc index c9b4a8a..c9bc912 100644 --- includes/install.core.inc +++ includes/install.core.inc @@ -1004,7 +1004,7 @@ function install_settings_form_submit($form, &$form_state) { 'required' => TRUE, ); $settings['drupal_hash_salt'] = array( - 'value' => sha1(drupal_random_bytes(64)), + 'value' => drupal_hash_base64(drupal_random_bytes(64)), 'required' => TRUE, ); drupal_rewrite_settings($settings); diff --git includes/locale.inc includes/locale.inc index b5fe671..8e86192 100644 --- includes/locale.inc +++ includes/locale.inc @@ -1680,7 +1680,7 @@ function _locale_rebuild_js($langcode = NULL) { } $data .= "'strings': " . drupal_json_encode($translations) . " };"; - $data_hash = md5($data); + $data_hash = drupal_hash_base64($data); } // Construct the filepath where JS translation files are stored. diff --git includes/menu.inc includes/menu.inc index 8e2fb1f..8ef354e 100644 --- includes/menu.inc +++ includes/menu.inc @@ -407,9 +407,9 @@ function menu_get_item($path = NULL, $router_item = NULL) { $parts = array_slice($original_map, 0, MENU_MAX_PARTS); $ancestors = menu_get_ancestors($parts); - // Since there is no limit to the length of $path, but the cids are - // restricted to 255 characters, use md5() to keep it short yet unique. - $cid = 'menu_item:' . md5($path); + // Since there is no limit to the length of $path, use a hash to keep it + // short yet unique. + $cid = 'menu_item:' . hash('sha256', $path); if ($cached = cache_get($cid, 'cache_menu')) { $router_item = $cached->data; } @@ -1238,7 +1238,7 @@ function menu_tree_page_data($menu_name, $max_depth = NULL) { * Helper function - compute the real cache ID for menu tree data. */ function _menu_tree_cid($menu_name, $data) { - return 'links:' . $menu_name . ':tree-data:' . $GLOBALS['language']->language . ':' . md5(serialize($data)); + return 'links:' . $menu_name . ':tree-data:' . $GLOBALS['language']->language . ':' . hash('sha256', serialize($data)); } /** diff --git includes/password.inc includes/password.inc index 787f14b..8700679 100644 --- includes/password.inc +++ includes/password.inc @@ -16,15 +16,15 @@ /** * The standard log2 number of iterations for password stretching. This should - * increase by 1 at least every other Drupal version in order to counteract - * increases in the speed and power of computers available to crack the hashes. + * increase by 1 every Drupal version in order to counteract increases in the + * speed and power of computers available to crack the hashes. */ define('DRUPAL_HASH_COUNT', 14); /** * The minimum allowed log2 number of iterations for password stretching. */ -define('DRUPAL_MIN_HASH_COUNT', 7); +define('DRUPAL_MIN_HASH_COUNT', 5); /** * The maximum allowed log2 number of iterations for password stretching. @@ -49,7 +49,7 @@ function _password_itoa64() { * @return * Encoded string */ -function _password_base64_encode($input, $count) { +function _password_base64_encode($input, $count) { $output = ''; $i = 0; $itoa64 = _password_itoa64(); @@ -93,7 +93,7 @@ function _password_base64_encode($input, $count) { * A 12 character string containing the iteration count and a random salt. */ function _password_generate_salt($count_log2) { - $output = '$P$'; + $output = '$2$'; // Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT. $count_log2 = max($count_log2, DRUPAL_MIN_HASH_COUNT); // Maximum log2 iterations is DRUPAL_MAX_HASH_COUNT. @@ -106,7 +106,7 @@ function _password_generate_salt($count_log2) { } /** - * Hash a password using a secure stretched hash. + * Hash a password using a secure stretched hash using md5. * * By using a salt and repeated hashing the password is "stretched". Its * security is increased because it becomes much more computationally costly @@ -121,7 +121,7 @@ function _password_generate_salt($count_log2) { * @return * A string containing the hashed password (and salt) or FALSE on failure. */ -function _password_crypt($password, $setting) { +function _password_crypt_md5($password, $setting) { // The first 12 characters of an existing hash are its setting string. $setting = substr($setting, 0, 12); @@ -158,6 +158,54 @@ function _password_crypt($password, $setting) { } /** + * Hash a password using a secure stretched hash using sha256. + * + * By using a salt and repeated hashing the password is "stretched". Its + * security is increased because it becomes much more computationally costly + * for an attacker to try to break the hash by brute-force computation of the + * hashes of a large number of plain-text words or strings to find a match. + * + * @param $password + * The plain-text password to hash. + * @param $setting + * An existing hash or the output of _password_generate_salt(). + * + * @return + * A string containing the hashed password (and salt) or FALSE on failure. + */ +function _password_crypt_sha256($password, $setting) { + // The first 12 characters of an existing hash are its setting string. + $setting = substr($setting, 0, 12); + + if (substr($setting, 0, 3) != '$2$') { + return FALSE; + } + $count_log2 = _password_get_count_log2($setting); + // Hashes may be imported from elsewhere, so we allow != DRUPAL_HASH_COUNT + if ($count_log2 < DRUPAL_MIN_HASH_COUNT || $count_log2 > DRUPAL_MAX_HASH_COUNT) { + return FALSE; + } + $salt = substr($setting, 4, 8); + // Hashes must have an 8 character salt. + if (strlen($salt) != 8) { + return FALSE; + } + + // We rely on the hash() function being available. + + $count = 1 << $count_log2; + + $hash = hash('sha256', $salt . $password, TRUE); + do { + $hash = hash('sha256', $hash . $password, TRUE); + } while (--$count); + + $output = $setting . _password_base64_encode($hash, 32); + // _password_base64_encode() of a 32 byte sha-256 will always be 43 characters. + return (strlen($output) == 55) ? $output : FALSE; +} + +/** * Parse the log2 iteration count from a stored hash or setting string. */ function _password_get_count_log2($setting) { @@ -182,7 +230,7 @@ function user_hash_password($password, $count_log2 = 0) { // Use the standard iteration count. $count_log2 = variable_get('password_count_log2', DRUPAL_HASH_COUNT); } - return _password_crypt($password, _password_generate_salt($count_log2)); + return _password_crypt_sha256($password, _password_generate_salt($count_log2)); } /** @@ -201,7 +249,7 @@ function user_hash_password($password, $count_log2 = 0) { * TRUE or FALSE. */ function user_check_password($password, $account) { - if (substr($account->pass, 0, 3) == 'U$P') { + if (substr($account->pass, 0, 2) == 'U$') { // This may be an updated password from user_update_7000(). Such hashes // have 'U' added as the first character and need an extra md5(). $stored_hash = substr($account->pass, 1); @@ -210,7 +258,22 @@ function user_check_password($password, $account) { else { $stored_hash = $account->pass; } - $hash = _password_crypt($password, $stored_hash); + + $type = substr($stored_hash, 0, 3); + switch ($type) { + case '$2$': + $hash = _password_crypt_sha256($password, $stored_hash); + break; + case '$H$': + // phpBB3 uses "$H$" for the same thing as "$P$". + $stored_hash[1] = 'P'; + // Fall through. + case '$P$': + $hash = _password_crypt_md5($password, $stored_hash); + break; + default: + return FALSE; + } return ($hash && $stored_hash == $hash); } @@ -234,7 +297,7 @@ function user_check_password($password, $account) { */ function user_needs_new_hash($account) { // Check whether this was an updated password. - if ((substr($account->pass, 0, 3) != '$P$') || (strlen($account->pass) != 34)) { + if ((substr($account->pass, 0, 3) != '$2$') || (strlen($account->pass) != 55)) { return TRUE; } // Check whether the iteration count used differs from the standard number. diff --git includes/session.inc includes/session.inc index 542253e..2996bd0 100644 --- includes/session.inc +++ includes/session.inc @@ -206,7 +206,10 @@ function drupal_session_initialize() { // processes (like drupal_get_token()) needs to know the future // session ID in advance. $user = drupal_anonymous_user(); - session_id(md5(uniqid('', TRUE))); + // Less random sessions (which are much faster to generate) are used for + // anonymous users than are generated in drupal_session_regenerate() when + // a user becomes authenticated. + session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE))); } date_default_timezone_set(drupal_get_user_timezone()); } @@ -284,7 +287,7 @@ function drupal_session_regenerate() { if ($is_https && variable_get('https', FALSE)) { $insecure_session_name = substr(session_name(), 1); $params = session_get_cookie_params(); - $session_id = md5(uniqid(mt_rand(), TRUE)); + $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55)); setcookie($insecure_session_name, $session_id, REQUEST_TIME + $params['lifetime'], $params['path'], $params['domain'], FALSE, $params['httponly']); $_COOKIE[$insecure_session_name] = $session_id; } diff --git modules/aggregator/aggregator.install modules/aggregator/aggregator.install index 402774e..4ed9afc 100644 --- modules/aggregator/aggregator.install +++ modules/aggregator/aggregator.install @@ -170,10 +170,10 @@ function aggregator_schema() { ), 'hash' => array( 'type' => 'varchar', - 'length' => 32, + 'length' => 64, 'not null' => TRUE, 'default' => '', - 'description' => 'Calculated md5 hash of the feed data, used for validating cache.', + 'description' => 'Calculated hash of the feed data, used for validating cache.', ), 'etag' => array( 'type' => 'varchar', @@ -275,7 +275,7 @@ function aggregator_schema() { * Add hash column to aggregator_feed table. */ function aggregator_update_7000() { - db_add_field('aggregator_feed', 'hash', array('type' => 'varchar', 'length' => 32, 'not null' => TRUE, 'default' => '')); + db_add_field('aggregator_feed', 'hash', array('type' => 'varchar', 'length' => 64, 'not null' => TRUE, 'default' => '')); } /** @@ -297,3 +297,4 @@ function aggregator_update_7002() { )); db_add_index('aggregator_feed', 'queued', array('queued')); } + diff --git modules/aggregator/aggregator.module modules/aggregator/aggregator.module index 467423a..d6a8872 100644 --- modules/aggregator/aggregator.module +++ modules/aggregator/aggregator.module @@ -614,12 +614,12 @@ function aggregator_refresh($feed) { list($fetcher, $parser, $processors) = _aggregator_get_variables(); $success = module_invoke($fetcher, 'aggregator_fetch', $feed); - // We store the md5 hash of feed data in the database. When refreshing a + // We store the hash of feed data in the database. When refreshing a // feed we compare stored hash and new hash calculated from downloaded // data. If both are equal we say that feed is not updated. - $md5 = md5($feed->source_string); + $hash = hash('sha256', $feed->source_string); - if ($success && ($feed->hash != $md5)) { + if ($success && ($feed->hash != $hash)) { // Parse the feed. if (module_invoke($parser, 'aggregator_parse', $feed)) { // Update feed with parsed data. @@ -630,7 +630,7 @@ function aggregator_refresh($feed) { 'link' => empty($feed->link) ? $feed->url : $feed->link, 'description' => empty($feed->description) ? '' : $feed->description, 'image' => empty($feed->image) ? '' : $feed->image, - 'hash' => $md5, + 'hash' => $hash, 'etag' => empty($feed->etag) ? '' : $feed->etag, 'modified' => empty($feed->modified) ? 0 : $feed->modified, )) diff --git modules/aggregator/tests/aggregator_test.module modules/aggregator/tests/aggregator_test.module index 35d626a..172a56e 100644 --- modules/aggregator/tests/aggregator_test.module +++ modules/aggregator/tests/aggregator_test.module @@ -25,7 +25,7 @@ function aggregator_test_menu() { */ function aggregator_test_feed($use_last_modified = FALSE, $use_etag = FALSE) { $last_modified = strtotime('Sun, 19 Nov 1978 05:00:00 GMT'); - $etag = md5($last_modified); + $etag = drupal_hash_base64($last_modified); $if_modified_since = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) : FALSE; $if_none_match = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) : FALSE; diff --git modules/book/book.admin.inc modules/book/book.admin.inc index ffdcf88..61be213 100644 --- modules/book/book.admin.inc +++ modules/book/book.admin.inc @@ -154,7 +154,7 @@ function _book_admin_table($node, &$form) { $tree = book_menu_subtree_data($node->book); $tree = array_shift($tree); // Do not include the book item itself. if ($tree['below']) { - $hash = sha1(serialize($tree['below'])); + $hash = drupal_hash_base64(serialize($tree['below'])); // Store the hash value as a hidden form element so that we can detect // if another user changed the book hierarchy. $form['tree_hash'] = array( diff --git modules/book/book.module modules/book/book.module index 2f6dfc0..5726090 100644 --- modules/book/book.module +++ modules/book/book.module @@ -1254,7 +1254,7 @@ function book_menu_subtree_data($link) { $data['node_links'] = array(); menu_tree_collect_node_links($data['tree'], $data['node_links']); // Compute the real cid for book subtree data. - $tree_cid = 'links:' . $item['menu_name'] . ':subtree-data:' . md5(serialize($data)); + $tree_cid = 'links:' . $item['menu_name'] . ':subtree-data:' . hash('sha256', serialize($data)); // Cache the data, if it is not already in the cache. if (!cache_get($tree_cid, 'cache_menu')) { diff --git modules/color/color.module modules/color/color.module index e34b469..f6572fd 100644 --- modules/color/color.module +++ modules/color/color.module @@ -316,7 +316,7 @@ function color_scheme_form_submit($form, &$form_state) { } // Prepare target locations for generated files. - $id = $theme . '-' . substr(md5(serialize($palette) . microtime()), 0, 8); + $id = $theme . '-' . substr(hash('sha256', serialize($palette) . microtime()), 0, 8); $paths['color'] = 'public://color'; $paths['target'] = $paths['color'] . '/' . $id; foreach ($paths as $path) { diff --git modules/field/tests/field.test modules/field/tests/field.test index a9b4bd2..c56cf3b 100644 --- modules/field/tests/field.test +++ modules/field/tests/field.test @@ -2715,7 +2715,7 @@ class FieldTranslationsTestCase extends FieldTestCase { $results = _field_invoke('test_op', $entity_type, $entity); foreach ($results as $langcode => $result) { - $hash = md5(serialize(array($entity_type, $entity, $this->field_name, $langcode, $values[$langcode]))); + $hash = hash('sha256', serialize(array($entity_type, $entity, $this->field_name, $langcode, $values[$langcode]))); // Check whether the parameters passed to _field_invoke() were correctly // forwarded to the callback function. $this->assertEqual($hash, $result, t('The result for %language is correctly stored.', array('%language' => $langcode))); @@ -2757,7 +2757,7 @@ class FieldTranslationsTestCase extends FieldTestCase { $grouped_results = _field_invoke_multiple('test_op_multiple', $entity_type, $entities); foreach ($grouped_results as $id => $results) { foreach ($results as $langcode => $result) { - $hash = md5(serialize(array($entity_type, $entities[$id], $this->field_name, $langcode, $values[$id][$langcode]))); + $hash = hash('sha256', serialize(array($entity_type, $entities[$id], $this->field_name, $langcode, $values[$id][$langcode]))); // Check whether the parameters passed to _field_invoke() were correctly // forwarded to the callback function. $this->assertEqual($hash, $result, t('The result for entity %id/%language is correctly stored.', array('%id' => $id, '%language' => $langcode))); diff --git modules/field/tests/field_test.module modules/field/tests/field_test.module index 7cd2e32..03ae9a4 100644 --- modules/field/tests/field_test.module +++ modules/field/tests/field_test.module @@ -69,7 +69,7 @@ function field_test_menu() { * This simulates a field operation callback to be invoked by _field_invoke(). */ function field_test_field_test_op($entity_type, $entity, $field, $instance, $langcode, &$items) { - return array($langcode => md5(serialize(array($entity_type, $entity, $field['field_name'], $langcode, $items)))); + return array($langcode => hash('sha256', serialize(array($entity_type, $entity, $field['field_name'], $langcode, $items)))); } /** @@ -81,7 +81,7 @@ function field_test_field_test_op($entity_type, $entity, $field, $instance, $lan function field_test_field_test_op_multiple($entity_type, $entities, $field, $instances, $langcode, &$items) { $result = array(); foreach ($entities as $id => $entity) { - $result[$id] = array($langcode => md5(serialize(array($entity_type, $entity, $field['field_name'], $langcode, $items[$id])))); + $result[$id] = array($langcode => hash('sha256', serialize(array($entity_type, $entity, $field['field_name'], $langcode, $items[$id])))); } return $result; } diff --git modules/file/file.module modules/file/file.module index b8f78b7..ccbcac3 100644 --- modules/file/file.module +++ modules/file/file.module @@ -411,7 +411,7 @@ function file_managed_file_process($element, &$form_state, $form) { // Add progress bar support to the upload if possible. if ($element['#progress_indicator'] == 'bar' && $implementation = file_progress_implementation()) { - $upload_progress_key = md5(mt_rand()); + $upload_progress_key = mt_rand(); if ($implementation == 'uploadprogress') { $element['UPLOAD_IDENTIFIER'] = array( diff --git modules/filter/filter.install modules/filter/filter.install index e295574..6edc030 100644 --- modules/filter/filter.install +++ modules/filter/filter.install @@ -98,7 +98,7 @@ function filter_schema() { ); $schema['cache_filter'] = drupal_get_schema_unprocessed('system', 'cache'); - $schema['cache_filter']['description'] = 'Cache table for the Filter module to store already filtered pieces of text, identified by text format and md5 hash of the text.'; + $schema['cache_filter']['description'] = 'Cache table for the Filter module to store already filtered pieces of text, identified by text format and hash of the text.'; return $schema; } diff --git modules/filter/filter.module modules/filter/filter.module index 2b4bddf..5602482 100644 --- modules/filter/filter.module +++ modules/filter/filter.module @@ -679,7 +679,7 @@ function check_markup($text, $format_id = NULL, $langcode = '', $cache = FALSE) $cache = $cache && !empty($format->cache); $cache_id = ''; if ($cache) { - $cache_id = $format->format . ':' . $langcode . ':' . md5($text); + $cache_id = $format->format . ':' . $langcode . ':' . hash('sha256', $text); if ($cached = cache_get($cache_id, 'cache_filter')) { return $cached->data; } diff --git modules/image/image.module modules/image/image.module index 932b32a..cdd9897 100644 --- modules/image/image.module +++ modules/image/image.module @@ -591,19 +591,19 @@ function image_style_generate() { $path = implode('/', $args); $path = $scheme . '://' . $path; - $path_md5 = md5($path); + $path_hash = drupal_hash_base64($path); $destination = image_style_path($style['name'], $path); // Check that it's a defined style and that access was granted by // image_style_url(). - if (!$style || !cache_get('access:' . $style_name . ':' . $path_md5, 'cache_image')) { + if (!$style || !cache_get('access:' . $style_name . ':' . $path_hash, 'cache_image')) { drupal_access_denied(); drupal_exit(); } // Don't start generating the image if the derivate already exists or if // generation is in progress in another thread. - $lock_name = 'image_style_generate:' . $style_name . ':' . $path_md5; + $lock_name = 'image_style_generate:' . $style_name . ':' . $path_hash; if (!file_exists($destination)) { $lock_acquired = lock_acquire($lock_name); if (!$lock_acquired) { @@ -742,7 +742,7 @@ function image_style_url($style_name, $path) { // Set a cache entry to grant access to this style/image path. This will be // checked by image_style_generate(). - cache_set('access:' . $style_name . ':' . md5($path), 1, 'cache_image', REQUEST_TIME + 600); + cache_set('access:' . $style_name . ':' . drupal_hash_base64($path), 1, 'cache_image', REQUEST_TIME + 600); $scheme = file_uri_scheme($path); $target = file_uri_target($path); diff --git modules/image/image.test modules/image/image.test index c0e3d22..4fa693d 100644 --- modules/image/image.test +++ modules/image/image.test @@ -113,7 +113,7 @@ class ImageStylesPathAndUrlUnitTest extends DrupalWebTestCase { // Fetch the URL that generates the file while another process appears to // be generating the same file (this is signaled using a lock). - $lock_name = 'image_style_generate:' . $this->style_name . ':' . md5($original_uri); + $lock_name = 'image_style_generate:' . $this->style_name . ':' . drupal_hash_base64($original_uri); $this->assertTrue(lock_acquire($lock_name), t('Lock was acquired.')); $this->drupalGet($expected_generate_url); $this->assertResponse(503, t('Service Unavailable response received.')); diff --git modules/locale/locale.install modules/locale/locale.install index 93fb793..dc1abaf 100644 --- modules/locale/locale.install +++ modules/locale/locale.install @@ -82,6 +82,13 @@ function locale_update_7001() { } /** + * Allow longer javascript file names. + */ +function locale_update_7002() { + db_change_field('languages', 'javascript', 'javascript', array('type' => 'varchar', 'length' => 64, 'not null' => TRUE, 'default' => '')); +} + +/** * @} End of "defgroup updates-6.x-to-7.x" */ @@ -207,7 +214,7 @@ function locale_schema() { ), 'javascript' => array( 'type' => 'varchar', - 'length' => 32, + 'length' => 64, 'not null' => TRUE, 'default' => '', 'description' => 'Location of JavaScript translation file.', diff --git modules/menu/menu.test modules/menu/menu.test index 3c99e26..7862420 100644 --- modules/menu/menu.test +++ modules/menu/menu.test @@ -100,7 +100,7 @@ class MenuTestCase extends DrupalWebTestCase { */ function addCustomMenuCRUD() { // Add a new custom menu. - $menu_name = substr(md5($this->randomName(16)), 0, MENU_MAX_MENU_NAME_LENGTH_UI); + $menu_name = substr(hash('sha256', $this->randomName(16)), 0, MENU_MAX_MENU_NAME_LENGTH_UI); $title = $this->randomName(16); $menu = array( @@ -130,7 +130,7 @@ class MenuTestCase extends DrupalWebTestCase { // Try adding a menu using a menu_name that is too long. $this->drupalGet('admin/structure/menu/add'); - $menu_name = substr(md5($this->randomName(16)), 0, MENU_MAX_MENU_NAME_LENGTH_UI + 1); + $menu_name = substr(hash('sha256', $this->randomName(16)), 0, MENU_MAX_MENU_NAME_LENGTH_UI + 1); $title = $this->randomName(16); $edit = array( 'menu_name' => $menu_name, @@ -143,7 +143,7 @@ class MenuTestCase extends DrupalWebTestCase { $this->assertText(format_plural(MENU_MAX_MENU_NAME_LENGTH_UI, "The menu name can't be longer than 1 character.", "The menu name can't be longer than @count characters."), t('Validation failed when menu name is too long.')); // Change the menu_name so it no longer exceeds the maximum length. - $menu_name = substr(md5($this->randomName(16)), 0, MENU_MAX_MENU_NAME_LENGTH_UI); + $menu_name = substr(hash('sha256', $this->randomName(16)), 0, MENU_MAX_MENU_NAME_LENGTH_UI); $edit['menu_name'] = $menu_name; $this->drupalPost('admin/structure/menu/add', $edit, t('Save')); diff --git modules/simpletest/drupal_web_test_case.php modules/simpletest/drupal_web_test_case.php index 217aadc..04b9fe1 100644 --- modules/simpletest/drupal_web_test_case.php +++ modules/simpletest/drupal_web_test_case.php @@ -1072,7 +1072,7 @@ class DrupalWebTestCase extends DrupalTestCase { */ protected function drupalGetToken($value = '') { $private_key = drupal_get_private_key(); - return md5($this->session_id . $value . $private_key); + return drupal_hmac_base64($value, $this->session_id . $private_key); } /* diff --git modules/simpletest/tests/actions.test modules/simpletest/tests/actions.test index 3a098a8..c673d94 100644 --- modules/simpletest/tests/actions.test +++ modules/simpletest/tests/actions.test @@ -21,7 +21,7 @@ class ActionsConfigurationTestCase extends DrupalWebTestCase { // Make a POST request to admin/config/system/actions/manage. $edit = array(); - $edit['action'] = md5('system_goto_action'); + $edit['action'] = drupal_hash_base64('system_goto_action'); $this->drupalPost('admin/config/system/actions/manage', $edit, t('Create')); // Make a POST request to the individual action configuration page. @@ -29,7 +29,7 @@ class ActionsConfigurationTestCase extends DrupalWebTestCase { $action_label = $this->randomName(); $edit['actions_label'] = $action_label; $edit['url'] = 'admin'; - $this->drupalPost('admin/config/system/actions/configure/' . md5('system_goto_action'), $edit, t('Save')); + $this->drupalPost('admin/config/system/actions/configure/' . drupal_hash_base64('system_goto_action'), $edit, t('Save')); // Make sure that the new complex action was saved properly. $this->assertText(t('The action has been successfully saved.'), t("Make sure we get a confirmation that we've successfully saved the complex action.")); @@ -87,7 +87,7 @@ class ActionLoopTestCase extends DrupalWebTestCase { $user = $this->drupalCreateUser(array('administer actions')); $this->drupalLogin($user); - $hash = md5('actions_loop_test_log'); + $hash = drupal_hash_base64('actions_loop_test_log'); $edit = array('aid' => $hash); $this->drupalPost('admin/structure/trigger/actions_loop_test', $edit, t('Assign')); diff --git modules/simpletest/tests/registry.test modules/simpletest/tests/registry.test index f77db6d..1733f5d 100644 --- modules/simpletest/tests/registry.test +++ modules/simpletest/tests/registry.test @@ -11,9 +11,10 @@ class RegistryParseFileTestCase extends DrupalWebTestCase { } function setUp() { - $this->fileName = 'registry_test_' . md5(rand()); - $this->className = 'registry_test_class' . md5(rand()); - $this->interfaceName = 'registry_test_interface' . md5(rand()); + $chrs = hash('sha256', microtime() . mt_rand()); + $this->fileName = 'registry_test_' . substr($chrs, 0, 16); + $this->className = 'registry_test_class' . substr($chrs, 16, 16); + $this->interfaceName = 'registry_test_interface' . substr($chrs, 32, 16); parent::setUp(); } @@ -61,18 +62,19 @@ class RegistryParseFilesTestCase extends DrupalWebTestCase { // Create files with some php to parse - one 'new', one 'existing' so // we test all the important code paths in _registry_parse_files. foreach ($this->fileTypes as $fileType) { + $chrs = hash('sha256', microtime() . mt_rand()); $this->$fileType = new stdClass(); - $this->$fileType->fileName = file_directory_path() . '/registry_test_' . md5(rand()); - $this->$fileType->className = 'registry_test_class' . md5(rand()); - $this->$fileType->interfaceName = 'registry_test_interface' . md5(rand()); + $this->$fileType->fileName = file_directory_path() . '/registry_test_' . substr($chrs, 0, 16); + $this->$fileType->className = 'registry_test_class' . substr($chrs, 16, 16); + $this->$fileType->interfaceName = 'registry_test_interface' . substr($chrs, 32, 16); $this->$fileType->contents = $this->getFileContents($fileType); file_save_data($this->$fileType->contents, $this->$fileType->fileName); if ($fileType == 'existing_changed') { db_insert('registry_file') ->fields(array( - 'filectime' => rand(1, 1000000), - 'filemtime' => rand(1, 1000000), + 'filectime' => mt_rand(1, 1000000), + 'filemtime' => mt_rand(1, 1000000), 'filename' => $this->$fileType->fileName, )) ->execute(); @@ -81,7 +83,7 @@ class RegistryParseFilesTestCase extends DrupalWebTestCase { foreach (array('class', 'interface') as $type) { db_insert('registry') ->fields(array( - 'name' => $type . md5(rand()), + 'name' => $type . hash('sha256', microtime() . mt_rand()), 'type' => $type, 'filename' => $this->$fileType->fileName, )) @@ -117,8 +119,8 @@ class RegistryParseFilesTestCase extends DrupalWebTestCase { foreach ($this->fileTypes as $fileType) { $files[$this->$fileType->fileName] = array('module' => '', 'weight' => 0); if ($fileType == 'existing_changed') { - $files[$this->$fileType->fileName]['filectime'] = rand(1, 1000000); - $files[$this->$fileType->fileName]['filemtime'] = rand(1, 1000000); + $files[$this->$fileType->fileName]['filectime'] = mt_rand(1, 1000000); + $files[$this->$fileType->fileName]['filemtime'] = mt_rand(1, 1000000); } } return $files; diff --git modules/system/system.admin.inc modules/system/system.admin.inc index eafa6f1..9d778be 100644 --- modules/system/system.admin.inc +++ modules/system/system.admin.inc @@ -2934,7 +2934,7 @@ function system_actions_manage_form_submit($form, &$form_state) { * on our elements. * * @param $action - * md5 hash of an action ID or an integer. If it is an md5 hash, we are + * Hash of an action ID or an integer. If it is a hash, we are * creating a new instance. If it is an integer, we are editing an existing * instance. * @return @@ -2959,7 +2959,7 @@ function system_actions_configure($form, &$form_state, $action = NULL) { $edit['actions_label'] = $data->label; $edit['actions_type'] = $data->type; $function = $data->callback; - $action = md5($data->callback); + $action = drupal_hash_base64($data->callback); $params = unserialize($data->parameters); if ($params) { foreach ($params as $name => $val) { diff --git modules/system/system.install modules/system/system.install index 4292210..d108ec7 100644 --- modules/system/system.install +++ modules/system/system.install @@ -414,7 +414,7 @@ function system_install() { ->execute(); // Populate the cron key variable. - $cron_key = md5(mt_rand()); + $cron_key = drupal_hash_base64(drupal_random_bytes(55)); variable_set('cron_key', $cron_key); } @@ -1650,7 +1650,7 @@ function system_update_7000() { * Generate a cron key and save it in the variables table. */ function system_update_7001() { - variable_set('cron_key', md5(mt_rand())); + variable_set('cron_key', drupal_hash_base64(drupal_random_bytes(55))); } /** diff --git modules/trigger/trigger.admin.inc modules/trigger/trigger.admin.inc index a7b6bf8..15e540a 100644 --- modules/trigger/trigger.admin.inc +++ modules/trigger/trigger.admin.inc @@ -155,10 +155,11 @@ function trigger_assign_form($form, $form_state, $module, $hook, $label) { foreach ($actions as $aid => $info) { // If action is defined unassign it, otherwise offer to delete all orphaned // actions. - if (actions_function_lookup(md5($aid))) { + $hash = drupal_hash_base64($aid, TRUE); + if (actions_function_lookup($hash)) { $form[$hook]['assigned']['#value'][$aid] = array( 'label' => $info['label'], - 'link' => l(t('unassign'), "admin/structure/trigger/unassign/$module/$hook/" . md5($aid)), + 'link' => l(t('unassign'), "admin/structure/trigger/unassign/$module/$hook/$hash"), ); } else { diff --git modules/trigger/trigger.test modules/trigger/trigger.test index 408eb2b..0535b40 100644 --- modules/trigger/trigger.test +++ modules/trigger/trigger.test @@ -19,7 +19,7 @@ class TriggerWebTestCase extends DrupalWebTestCase { */ protected function configureAdvancedAction($action, $edit) { // Create an advanced action. - $hash = md5($action); + $hash = drupal_hash_base64($action); $this->drupalPost("admin/config/system/actions/configure/$hash", $edit, t('Save')); $this->assertText(t('The action has been successfully saved.')); @@ -58,7 +58,7 @@ class TriggerContentTestCase extends TriggerWebTestCase { $test_user = $this->drupalCreateUser(array('administer actions')); $web_user = $this->drupalCreateUser(array('create page content', 'access content', 'administer nodes')); foreach ($content_actions as $action) { - $hash = md5($action); + $hash = drupal_hash_base64($action); $info = $this->actionInfo($action); // Assign an action to a trigger, then pull the trigger, and make sure @@ -112,7 +112,7 @@ class TriggerContentTestCase extends TriggerWebTestCase { } $action_id = 'trigger_test_generic_any_action'; - $hash = md5($action_id); + $hash = drupal_hash_base64($action_id); $edit = array('aid' => $hash); $this->drupalPost('admin/structure/trigger/node', $edit, t('Assign'), array(), array(), 'trigger-node-update-assign-form'); @@ -200,7 +200,7 @@ class TriggerCronTestCase extends TriggerWebTestCase { $this->drupalLogin($test_user); // Assign a non-configurable action to the cron run trigger. - $edit = array('aid' => md5('trigger_test_system_cron_action')); + $edit = array('aid' => drupal_hash_base64('trigger_test_system_cron_action')); $this->drupalPost('admin/structure/trigger/system', $edit, t('Assign'), array(), array(), 'trigger-cron-assign-form'); // Assign a configurable action to the cron trigger. @@ -212,7 +212,7 @@ class TriggerCronTestCase extends TriggerWebTestCase { $aid = $this->configureAdvancedAction('trigger_test_system_cron_conf_action', $edit); // $aid is likely 3 but if we add more uses for the sequences table in // core it might break, so it is easier to get the value from the database. - $edit = array('aid' => md5($aid)); + $edit = array('aid' => drupal_hash_base64($aid)); $this->drupalPost('admin/structure/trigger/system', $edit, t('Assign'), array(), array(), 'trigger-cron-assign-form'); // Add a second configurable action to the cron trigger. @@ -222,7 +222,7 @@ class TriggerCronTestCase extends TriggerWebTestCase { 'subject' => $action_label, ); $aid = $this->configureAdvancedAction('trigger_test_system_cron_conf_action', $edit); - $edit = array('aid' => md5($aid)); + $edit = array('aid' => drupal_hash_base64($aid)); $this->drupalPost('admin/structure/trigger/system', $edit, t('Assign'), array(), array(), 'trigger-cron-assign-form'); // Force a cron run. @@ -265,7 +265,7 @@ class TriggerOtherTestCase extends TriggerWebTestCase { $test_user = $this->drupalCreateUser(array('administer actions')); $this->drupalLogin($test_user); $action_id = 'trigger_test_generic_action'; - $hash = md5($action_id); + $hash = drupal_hash_base64($action_id); $edit = array('aid' => $hash); $this->drupalPost('admin/structure/trigger/user', $edit, t('Assign'), array(), array(), 'trigger-user-insert-assign-form'); @@ -300,7 +300,7 @@ class TriggerOtherTestCase extends TriggerWebTestCase { // Configure an advanced action that we can assign. $aid = $this->configureAdvancedAction('system_message_action', $action_edit); - $edit = array('aid' => md5($aid)); + $edit = array('aid' => drupal_hash_base64($aid)); $this->drupalPost('admin/structure/trigger/user', $edit, t('Assign'), array(), array(), 'trigger-user-login-assign-form'); // Verify that the action has been assigned to the correct hook. @@ -322,7 +322,7 @@ class TriggerOtherTestCase extends TriggerWebTestCase { $test_user = $this->drupalCreateUser(array('administer actions')); $this->drupalLogin($test_user); $action_id = 'trigger_test_generic_action'; - $hash = md5($action_id); + $hash = drupal_hash_base64($action_id); $edit = array('aid' => $hash); $this->drupalPost('admin/structure/trigger/comment', $edit, t('Assign'), array(), array(), 'trigger-comment-insert-assign-form'); @@ -351,7 +351,7 @@ class TriggerOtherTestCase extends TriggerWebTestCase { $test_user = $this->drupalCreateUser(array('administer actions')); $this->drupalLogin($test_user); $action_id = 'trigger_test_generic_action'; - $hash = md5($action_id); + $hash = drupal_hash_base64($action_id); $edit = array('aid' => $hash); $this->drupalPost('admin/structure/trigger/taxonomy', $edit, t('Assign'), array(), array(), 'trigger-taxonomy-term-insert-assign-form'); @@ -403,7 +403,7 @@ class TriggerOrphanedActionsTestCase extends DrupalWebTestCase { */ function testActionsOrphaned() { $action = 'trigger_test_generic_any_action'; - $hash = md5($action); + $hash = drupal_hash_base64($action); // Assign an action from a disable-able module to a trigger, then pull the // trigger, and make sure the actions fire. diff --git modules/update/update.fetch.inc modules/update/update.fetch.inc index 7944828..9db4d1c 100644 --- modules/update/update.fetch.inc +++ modules/update/update.fetch.inc @@ -137,7 +137,7 @@ function _update_process_fetch_task($project) { $success = FALSE; $available = array(); - $site_key = md5($base_url . drupal_get_private_key()); + $site_key = drupal_hmac_base64($base_url, drupal_get_private_key()); $url = _update_build_fetch_url($project, $site_key); $fetch_url_base = _update_get_fetch_url_base($project); $project_name = $project['name']; diff --git modules/user/user.module modules/user/user.module index 0b24fa2..ca23ed6 100644 --- modules/user/user.module +++ modules/user/user.module @@ -2079,8 +2079,7 @@ function user_cancel_url($account) { } function user_pass_rehash($password, $timestamp, $login) { - // A single md5() is vulnerable to length-extension attacks, so use it twice. - return md5(drupal_get_hash_salt() . md5($timestamp . $password . $login)); + return drupal_hmac_base64($timestamp . $login, drupal_get_hash_salt() . $password); } /** diff --git modules/user/user.pages.inc modules/user/user.pages.inc index d59ded1..a51c30f 100644 --- modules/user/user.pages.inc +++ modules/user/user.pages.inc @@ -133,7 +133,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a user_login_finalize(); drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.')); // Let the user's password be changed without the current password check. - $token = md5(drupal_random_bytes(55)); + $token = drupal_hash_base64(drupal_random_bytes(55)); $_SESSION['pass_reset_' . $user->uid] = $token; drupal_goto('user/' . $user->uid . '/edit', array('query' => array('pass-reset-token' => $token))); } diff --git modules/user/user.test modules/user/user.test index 64af9aa..ecd5d63 100644 --- modules/user/user.test +++ modules/user/user.test @@ -1259,7 +1259,7 @@ class UserBlocksUnitTests extends DrupalWebTestCase { private function insertSession(array $fields = array()) { $fields += array( 'uid' => 0, - 'sid' => md5(uniqid(mt_rand(), TRUE)), + 'sid' => drupal_hash_base64(uniqid(mt_rand(), TRUE)), 'timestamp' => REQUEST_TIME, ); db_insert('sessions') diff --git scripts/password-hash.sh scripts/password-hash.sh index a7660fb..82813b9 100755 --- scripts/password-hash.sh +++ scripts/password-hash.sh @@ -13,10 +13,6 @@ * Plain-text passwords in quotes (or with spaces backslash escaped). */ -function variable_get($x, $default) { - return $default; -} - if (version_compare(PHP_VERSION, "5.2.0", "<")) { $version = PHP_VERSION; echo <<