Bug #36767

generateHmac does not use safe getEncryptionKey leading to possibly invalid hmacs

Added by Alexander Berl over 3 years ago. Updated about 3 years ago.

Status:Resolved Start date:2012-05-02
Priority:Must have Due date:
Assigned To:- % Done:

100%
Category:Security
Target version:TYPO3 Flow Base Distribution - 1.1
PHP Version:5.3 Complexity:no-brainer
Has patch:Yes Affected Flow version:Git master

Description

Currently the generateHmac function of the Security\Cryptography\HashService directly accesses $this->encryptionKey instead of using the (lazy loading) getter.
Hence under certain circumstances the encryptionKey may still be unloaded leading to wrong hmacs being generated, only being noticed when the hmac validation fails later on.

0001-BUG-Fix-hash-service-hmac-generation-is-wrong-when-n.patch Magnifier (985 Bytes) Alexander Berl, 2012-05-02 03:28

Associated revisions

Revision 66312551
Added by Ferdinand Kuhl about 3 years ago

[BUGFIX] generateHmac method does not use safe getEncryptionKey

The generateHmac function uses encryptionKey property directly
and not through the safe getEncryptionKey method, leading to
uninitialized access without having an encryptionKey set.

Change-Id: I35665ee459f1c5cd9afee70db38fe7a1da7cb86d
Fixes: #36767
Releases: 1.1, 1.2

Revision 7c1cadb7
Added by Ferdinand Kuhl about 3 years ago

[BUGFIX] generateHmac method does not use safe getEncryptionKey

The generateHmac function uses encryptionKey property directly
and not through the safe getEncryptionKey method, leading to
uninitialized access without having an encryptionKey set.

Change-Id: I26d58cc91d7c934295995f81b7a436ffce2dee92
Fixes: #36767
Releases: 1.1, 1.2

History

#1 Updated by Gerrit Code Review about 3 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273

#2 Updated by Gerrit Code Review about 3 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273

#3 Updated by Gerrit Code Review about 3 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273

#4 Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11366

#5 Updated by Ferdinand Kuhl about 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF