Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
There's currently this code in update_status.module (in Drupal HEAD as well):
$drupal_private_key = variable_get('drupal_private_key', '');
$site_key = md5($base_url . $drupal_private_key);
The problem is, if the drupal_private_key variable hasn't been set yet, the site key becomes just md5('http://example.com');
which is not very secure. Drupal provides an API function drupal_get_private_key()
which will set this variable if it isn't already.
The good news is, the chances of this variable NOT being set are very, very small, since each form calls this function when it goes to generate the token. But nonetheless, we should be calling the proper API function so that privacy is maintained.
Comment | File | Size | Author |
---|---|---|---|
#2 | update-6.x-private-key-178892.patch.txt | 737 bytes | dww |
#1 | update_status-private-key-178892-1.patch | 762 bytes | webchick |
Comments
Comment #1
webchickPatch. This needs to be fixed in Drupal HEAD too.
Comment #2
dwwReviewed, tested, and committed to DRUPAL-5--2. Thanks!
Here's an equivalent patch for 6.x core for the same bug.
Comment #3
moshe weitzman CreditAttribution: moshe weitzman commentedComment #4
Gábor HojtsyThanks, committed.
Comment #5
(not verified) CreditAttribution: commented