Bug #36767

generateHmac does not use safe getEncryptionKey leading to possibly invalid hmacs

Added by Alexander Berl about 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
-
Category:
Security
Start date:
2012-05-02
Due date:
% Done:

100%

Estimated time:
PHP Version:
5.3
Has patch:
Yes
Complexity:
no-brainer

Description

Currently the generateHmac function of the Security\Cryptography\HashService directly accesses $this->encryptionKey instead of using the (lazy loading) getter.
Hence under certain circumstances the encryptionKey may still be unloaded leading to wrong hmacs being generated, only being noticed when the hmac validation fails later on.


Files

#1

Updated by Gerrit Code Review about 9 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273

#2

Updated by Gerrit Code Review about 9 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273

#3

Updated by Gerrit Code Review about 9 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11273

#4

Updated by Gerrit Code Review about 9 years ago

Patch set 1 for branch FLOW3-1.1 has been pushed to the review server.
It is available at http://review.typo3.org/11366

#5

Updated by Ferdinand Kuhl about 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF