Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Updated: Comment #N
Problem/Motivation
Now that #2036259: Move $drupal_hash_salt to settings() is in. We can remove the call to drupal_get_hash_salt() in CsrfTokenGenerator and just inject settings instead. Added bonus; we can also remove the if (function_exists(...)) hack in CsrfTokenGeneratorTest. Nice.
Proposed resolution
Inject settings into the csrf_token service, and call settings->get('hash_salt') in the get() method instead.
Remaining tasks
Patch
User interface changes
None
API changes
None
Comment | File | Size | Author |
---|---|---|---|
#7 | interdiff-2201919-7.txt | 2.79 KB | damiankloip |
#7 | 2201919-7.patch | 4.88 KB | damiankloip |
#1 | 2201919.patch | 3.39 KB | damiankloip |
Comments
Comment #1
damiankloip CreditAttribution: damiankloip commentedComment #2
damiankloip CreditAttribution: damiankloip commentedComment #3
dawehnerPerfect cleanup!
Comment #4
catchCommitted/pushed to 8.x, thanks!
Comment #5
tstoecklerdrupal_get_hash_salt() throws an exception on an empty hash salt, which increases security as it does not allow misconfiguration. Are we fine with dumping that?
Comment #6
catchEr, no we're not. Reverted.
Comment #7
damiankloip CreditAttribution: damiankloip commentedSpoke to catch on IRC; Let's add this logic to the CsrfTokenGenerator for now.
Comment #8
damiankloip CreditAttribution: damiankloip commentedCreated that: #2207585: Find a new OO home for drupal_get_hash_salt()
Comment #9
damiankloip CreditAttribution: damiankloip commentedMost of this is now obsolete, an the one small change can be rolled into #2207585: Find a new OO home for drupal_get_hash_salt(). As the usage example with the conversion.