Bug #79999
Updated by Helmut Hummel over 7 years ago
The code to transfer the inline parent context to form engine
in Ajax requests exists but is currently non functional in some
situations.
The config is stored as array, which is hashed by serializing the array,
and building the hash on that string. However that string is not transferred
over the wire, but the json encoded array.
If a float value was present at some place in this array, json_encode and json_decode
will add a slight offset to these numbers than if the value is serialized.
<pre>
$a = [
'value' => 1 / 3
]
var_dump(serialize($a) === serialize(json_decode(json_encode($a), true)));
</pre>
This construct is never true, but is exactly how the current hmac validation works.
Instead, we must use json_encode the array and create the hash against that value, so that these floating point numbers will match.