Skip to content
This repository
Browse code

Force field validation to use sha1

When using blowfish as your application's hashing strategy, form field
validation would fail horribly.  Forcing sha1 fixes this and restores
behavior consistent with 2.2.x

Fixes #3280
  • Loading branch information...
commit f457f07b5caec53a195b7ce56c5597e5b3cccb9f 1 parent 1cc82ff
Mark Story authored October 18, 2012
2  lib/Cake/Controller/Component/SecurityComponent.php
@@ -493,7 +493,7 @@ protected function _validatePost(Controller $controller) {
493 493
 
494 494
 		$fieldList += $lockedFields;
495 495
 		$unlocked = implode('|', $unlocked);
496  
-		$check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'));
  496
+		$check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'), 'sha1');
497 497
 		return ($token === $check);
498 498
 	}
499 499
 
2  lib/Cake/View/Helper/FormHelper.php
@@ -538,7 +538,7 @@ public function secure($fields = array()) {
538 538
 
539 539
 		$locked = implode(array_keys($locked), '|');
540 540
 		$unlocked = implode($unlockedFields, '|');
541  
-		$fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'));
  541
+		$fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'), 'sha1');
542 542
 
543 543
 		$out = $this->hidden('_Token.fields', array(
544 544
 			'value' => urlencode($fields . ':' . $locked),

0 notes on commit f457f07

Please sign in to comment.
Something went wrong with that request. Please try again.