There's currently this code in update_status.module (in Drupal HEAD as well):

  $drupal_private_key = variable_get('drupal_private_key', '');
  $site_key = md5($base_url . $drupal_private_key);

The problem is, if the drupal_private_key variable hasn't been set yet, the site key becomes just md5('http://example.com'); which is not very secure. Drupal provides an API function drupal_get_private_key() which will set this variable if it isn't already.

The good news is, the chances of this variable NOT being set are very, very small, since each form calls this function when it goes to generate the token. But nonetheless, we should be calling the proper API function so that privacy is maintained.

CommentFileSizeAuthor
#2 update-6.x-private-key-178892.patch.txt737 bytesdww
#1 update_status-private-key-178892-1.patch762 byteswebchick
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Active » Needs review
FileSize
update_status-private-key-178892-1.patch762 bytes

Patch. This needs to be fixed in Drupal HEAD too.

dww’s picture

dww
we/he/they
CreditAttribution: dww commented
Project: Update Status » Drupal core
Version: 5.x-2.x-dev » 6.x-dev
Component: Code » update.module
FileSize
update-6.x-private-key-178892.patch.txt737 bytes

Reviewed, tested, and committed to DRUPAL-5--2. Thanks!

Here's an equivalent patch for 6.x core for the same bug.

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented
Status: Needs review » Reviewed & tested by the community
Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Reviewed & tested by the community » Fixed

Thanks, committed.

Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)