Skip to content

Commit

Permalink
Force field validation to use sha1
Browse files Browse the repository at this point in the history 
When using blowfish as your application's hashing strategy, form field
validation would fail horribly.  Forcing sha1 fixes this and restores
behavior consistent with 2.2.x

Fixes #3280
  • Loading branch information
@markstory
markstory committed Oct 19, 2012
1 parent 1cc82ff commit f457f07
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion lib/Cake/Controller/Component/SecurityComponent.php
View file
Expand Up @@ -493,7 +493,7 @@ protected function _validatePost(Controller $controller) {

$fieldList += $lockedFields;
$unlocked = implode('|', $unlocked);
$check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'));
$check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'), 'sha1');
return ($token === $check);
}

Expand Down
2 changes: 1 addition & 1 deletion lib/Cake/View/Helper/FormHelper.php
View file
Expand Up @@ -538,7 +538,7 @@ public function secure($fields = array()) {

$locked = implode(array_keys($locked), '|');
$unlocked = implode($unlockedFields, '|');
$fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'));
$fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'), 'sha1');

$out = $this->hidden('_Token.fields', array(
'value' => urlencode($fields . ':' . $locked),
Expand Down

0 comments on commit f457f07

Please sign in to comment.