Browse files

Force field validation to use sha1

When using blowfish as your application's hashing strategy, form field
validation would fail horribly.  Forcing sha1 fixes this and restores
behavior consistent with 2.2.x

Fixes #3280
  • Loading branch information...
1 parent 1cc82ff commit f457f07b5caec53a195b7ce56c5597e5b3cccb9f @markstory markstory committed Oct 18, 2012
Showing with 2 additions and 2 deletions.
  1. +1 −1 lib/Cake/Controller/Component/SecurityComponent.php
  2. +1 −1 lib/Cake/View/Helper/FormHelper.php
View
2 lib/Cake/Controller/Component/SecurityComponent.php
@@ -493,7 +493,7 @@ protected function _validatePost(Controller $controller) {
$fieldList += $lockedFields;
$unlocked = implode('|', $unlocked);
- $check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'));
+ $check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'), 'sha1');
return ($token === $check);
}
View
2 lib/Cake/View/Helper/FormHelper.php
@@ -538,7 +538,7 @@ public function secure($fields = array()) {
$locked = implode(array_keys($locked), '|');
$unlocked = implode($unlockedFields, '|');
- $fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'));
+ $fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'), 'sha1');
$out = $this->hidden('_Token.fields', array(
'value' => urlencode($fields . ':' . $locked),

0 comments on commit f457f07

Please sign in to comment.