Whilst looking at #2164025: Improve security of session ID against DB exposure or SQL injection noticed that we can change the code flow to remove some functions calls on certain code paths.

CommentFileSizeAuthor
#1 2313883.1.patch1.32 KBalexpott

Comments

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Active » Needs review
StatusFileSize
new 2313883.1.patch1.32 KB

Patch...

tim.plunkett’s picture

tim.plunkett
he/him
Primary language English
Location Philadelphia
commented
Version: 8.x-dev » 8.0.x-dev
legolasbo’s picture

legolasbo
he/him
Primary language Dutch
Location Middelburg
commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Amsterdam2014

The patch looks good to me.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Reviewed & tested by the community » Fixed

Not immediately obvious from the patch, but a couple lines above that it does:

      $key = array('sid' => Crypt::hashBase64($sid), 'ssid' => '');

So indeed, $key['sid'] is equivalent to the line being changed.

Committed and pushed to 8.x. Thanks!

  • webchick committed 5c60849 on 8.0.x 
    Issue #2313883 by alexpott: Fixed Minor code flow improvements to...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.