mirror of
https://github.com/getgrav/grav.git
synced 2026-02-06 14:50:23 +01:00
Use the new security salt to calculate the nonce instead of using password_hash
This commit is contained in:
Flavio Copes
@@ -423,7 +423,6 @@ abstract class Utils
|
||||
return in_array($value, [true, 1, '1', 'yes', 'on', 'true'], true);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Generates a nonce string to be hashed. Called by self::getNonce()
|
||||
*
|
||||
@@ -451,7 +450,7 @@ abstract class Utils
|
||||
$i++;
|
||||
}
|
||||
|
||||
return ( $i . '|' . $action . '|' . $username . '|' . $token );
|
||||
return ( $i . '|' . $action . '|' . $username . '|' . $token . '|' . self::getGrav()['config']->get('security.salt'));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -468,19 +467,6 @@ abstract class Utils
|
||||
return (int)ceil(time() / ( $secondsInHalfADay ));
|
||||
}
|
||||
|
||||
/**
|
||||
* Get hash of given string
|
||||
*
|
||||
* @param string $data string to hash
|
||||
*
|
||||
* @return string hashed value of $data, cut to 10 characters
|
||||
*/
|
||||
public static function hash($data)
|
||||
{
|
||||
$hash = password_hash($data, PASSWORD_DEFAULT);
|
||||
return $hash;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a hashed nonce tied to the passed action. Tied to the current user and time. The nonce for a given
|
||||
* action is the same for 12 hours.
|
||||
@@ -496,9 +482,8 @@ abstract class Utils
|
||||
if (isset(static::$nonces[$action])) {
|
||||
return static::$nonces[$action];
|
||||
}
|
||||
$nonce = self::hash(self::generateNonceString($action, $plusOneTick));
|
||||
|
||||
static::$nonces[$action] = str_replace('/', 'SLASH', $nonce);
|
||||
$nonce = md5(self::generateNonceString($action, $plusOneTick));
|
||||
static::$nonces[$action] = $nonce;
|
||||
|
||||
return static::$nonces[$action];
|
||||
}
|
||||
@@ -513,21 +498,18 @@ abstract class Utils
|
||||
*/
|
||||
public static function verifyNonce($nonce, $action)
|
||||
{
|
||||
$nonce = str_replace('SLASH', '/', $nonce);
|
||||
|
||||
//Nonce generated 0-12 hours ago
|
||||
if (password_verify(self::generateNonceString($action), $nonce)) {
|
||||
if ($nonce == self::getNonce($action)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
//Nonce generated 12-24 hours ago
|
||||
$plusOneTick = true;
|
||||
if (password_verify(self::generateNonceString($action, $plusOneTick), $nonce)) {
|
||||
if ($nonce == self::getNonce($action, $plusOneTick)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
//Invalid nonce
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user