Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Force field validation to use sha1

When using blowfish as your application's hashing strategy, form field
validation would fail horribly.  Forcing sha1 fixes this and restores
behavior consistent with 2.2.x

Fixes #3280
  • Loading branch information...
commit f457f07b5caec53a195b7ce56c5597e5b3cccb9f 1 parent 1cc82ff
@markstory markstory authored
View
2  lib/Cake/Controller/Component/SecurityComponent.php
@@ -493,7 +493,7 @@ protected function _validatePost(Controller $controller) {
$fieldList += $lockedFields;
$unlocked = implode('|', $unlocked);
- $check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'));
+ $check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'), 'sha1');
return ($token === $check);
}
View
2  lib/Cake/View/Helper/FormHelper.php
@@ -538,7 +538,7 @@ public function secure($fields = array()) {
$locked = implode(array_keys($locked), '|');
$unlocked = implode($unlockedFields, '|');
- $fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'));
+ $fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'), 'sha1');
$out = $this->hidden('_Token.fields', array(
'value' => urlencode($fields . ':' . $locked),
Please sign in to comment.
Something went wrong with that request. Please try again.