Bug #36767
generateHmac does not use safe getEncryptionKey leading to possibly invalid hmacs
Status: | Resolved | Start date: | 2012-05-02 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | - | % Done: | 100% |
|
Category: | Security | |||
Target version: | TYPO3 Flow Base Distribution - 1.1 | |||
PHP Version: | 5.3 | Complexity: | no-brainer | |
Has patch: | Yes | Affected Flow version: | Git master |
Description
Currently the generateHmac function of the Security\Cryptography\HashService directly accesses $this->encryptionKey instead of using the (lazy loading) getter.
Hence under certain circumstances the encryptionKey may still be unloaded leading to wrong hmacs being generated, only being noticed when the hmac validation fails later on.
Associated revisions
[BUGFIX] generateHmac method does not use safe getEncryptionKey
The generateHmac function uses encryptionKey property directly
and not through the safe getEncryptionKey method, leading to
uninitialized access without having an encryptionKey set.
Change-Id: I35665ee459f1c5cd9afee70db38fe7a1da7cb86d
Fixes: #36767
Releases: 1.1, 1.2
[BUGFIX] generateHmac method does not use safe getEncryptionKey
The generateHmac function uses encryptionKey property directly
and not through the safe getEncryptionKey method, leading to
uninitialized access without having an encryptionKey set.
Change-Id: I26d58cc91d7c934295995f81b7a436ffce2dee92
Fixes: #36767
Releases: 1.1, 1.2
History
#1 Updated by Gerrit Code Review about 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273
#2 Updated by Gerrit Code Review about 3 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273
#3 Updated by Gerrit Code Review about 3 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273
#4 Updated by Gerrit Code Review about 3 years ago
Patch set 1 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11366
#5 Updated by Ferdinand Kuhl about 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 7c1cadb78710f05da01c9208ad39470edb8df310.