Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use hmac for token hashes to avoid collisions #11101

Merged
merged 3 commits into from
Sep 12, 2017
Merged

Use hmac for token hashes to avoid collisions #11101

merged 3 commits into from
Sep 12, 2017

Conversation

ceeram
Copy link
Contributor

@ceeram ceeram commented Aug 25, 2017
edited
Loading

Use hmac for token hashes to avoid collisions,
Also includes changes of #11151 now, making token hash user specific to avoid privilege escalation

@ceeram ceeram self-assigned this Aug 25, 2017
@markstory markstory added this to the 3.5.1 milestone Aug 25, 2017
@markstory
Copy link
Member

We'll have to mention in the release notes that security component tokens changed, and that existing tokens will become invalid.

@codecov-io
Copy link

codecov-io commented Aug 25, 2017
edited
Loading

Codecov Report

Merging #11101 into master will increase coverage by 0.14%.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #11101      +/-   ##
============================================
+ Coverage     94.89%   95.03%   +0.14%     
- Complexity    12841    13336     +495     
============================================
  Files           437      437              
  Lines         32742    34026    +1284     
============================================
+ Hits          31070    32338    +1268     
- Misses         1672     1688      +16
Impacted Files Coverage Δ Complexity Δ
src/View/Helper/SecureFieldTokenTrait.php 100% <100%> (ø) 4 <0> (ø) ⬇️
src/Controller/Component/SecurityComponent.php 98.68% <100%> (ø) 95 <0> (ø) ⬇️
src/Form/Form.php 91.3% <0%> (-2.64%) 20% <0%> (+4%)
src/View/Helper/TextHelper.php 98.49% <0%> (-0.32%) 48% <0%> (+24%)
src/View/View.php 99.16% <0%> (-0.03%) 231% <0%> (+87%)
src/ORM/Table.php 100% <0%> (ø) 282% <0%> (+11%) ⬆️
src/Auth/DigestAuthenticate.php 100% <0%> (ø) 64% <0%> (+32%) ⬆️
src/TestSuite/ConsoleIntegrationTestCase.php 100% <0%> (ø) 46% <0%> (+21%) ⬆️
src/I18n/Parser/PoFileParser.php 100% <0%> (ø) 21% <0%> (+2%) ⬆️
src/I18n/RelativeTimeFormatter.php 95.02% <0%> (ø) 74% <0%> (ø) ⬇️
... and 8 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e5808ba...49f3674. Read the comment docs.

@markstory markstory modified the milestones: 3.5.1, 3.5.2 Aug 29, 2017
@ceeram ceeram mentioned this pull request Sep 4, 2017
Merged
@ceeram
Copy link
Contributor Author

ceeram commented Sep 4, 2017

Additional PR created targeting this PRs branch see #11151

@markstory
Merge pull request #11151 from cakephp/users-token
49f3674 
Add user specifc data to token hash to avoid privilige escalation
@markstory markstory changed the base branch from master to 3.next September 12, 2017 01:34
@markstory
Copy link
Member

Moving to 3.6 as the risk of breaking user form submissions is high enough.

@markstory markstory modified the milestones: 3.6.0, 3.5.2 Sep 12, 2017
@markstory markstory merged commit 8a9d4d1 into 3.next Sep 12, 2017
@markstory markstory deleted the token-hmac branch September 12, 2017 01:35
markstory added a commit to cakephp/docs that referenced this pull request Sep 12, 2017
@markstory
Document changes in cakephp/cakephp#11101
7acbcfd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ceeram ceeram

Labels
None yet
Projects
None yet
Milestone
3.6.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ceeram @markstory @codecov-io