Bug #36767

generateHmac does not use safe getEncryptionKey leading to possibly invalid hmacs

Added by Alexander Berl over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Must have
Assignee:
-
Category:
Security
Start date:
2012-05-02
Due date:
% Done:

100%

Estimated time:
PHP Version:
5.3
Has patch:
Yes
Complexity:
no-brainer

Description

Currently the generateHmac function of the Security\Cryptography\HashService directly accesses $this->encryptionKey instead of using the (lazy loading) getter.
Hence under certain circumstances the encryptionKey may still be unloaded leading to wrong hmacs being generated, only being noticed when the hmac validation fails later on.


Files

Also available in: Atom PDF