Project

General

Profile

Bug #79999

Updated by Helmut Hummel over 7 years ago

The code to transfer the inline parent context to form engine 
 in Ajax requests exists but is currently non functional in some 
 situations. 

 The config is stored as array, which is hashed by serializing the array,  
 and building the hash on that string. However that string is not transferred 
 over the wire, but the json encoded array. 

 If a float value was present at some place in this array, json_encode and json_decode 
 will add a slight offset to these numbers than if the value is serialized. 

 <pre> 

 $a = [ 
   'value' => 1 / 3 
 ] 

 var_dump(serialize($a) === serialize(json_decode(json_encode($a), true))); 

 </pre> 

 This construct is never true, but is exactly how the current hmac validation works. 

 Instead, we must use json_encode the array and create the hash against that value, so that these floating point numbers will match.

Back