Improve hashing logic

pull/42/head
Frode Petterson 2017-07-27 13:36:51 +02:00
parent b6019ade21
commit 7728243c18
1 changed files with 31 additions and 11 deletions

View File

@ -2790,16 +2790,8 @@ class H5PCore {
* @return string token
*/
public static function createToken($action) {
if (!isset($_SESSION['h5p_token'])) {
// Create an unique key which is used to create action tokens for this session.
$_SESSION['h5p_token'] = uniqid();
}
// Timefactor
$time_factor = self::getTimeFactor();
// Create and return token
return substr(hash('md5', $action . $time_factor . $_SESSION['h5p_token']), -16, 13);
return self::hashToken($action, self::getTimeFactor());
}
/**
@ -2810,6 +2802,31 @@ class H5PCore {
return ceil(time() / (86400 / 2));
}
/**
* Generate a unique hash string based on action, time and token
*
* @param string $action
* @param int $time_factor
* @return string
*/
private static function hashToken($action, $time_factor) {
if (!isset($_SESSION['h5p_token'])) {
// Create an unique key which is used to create action tokens for this session.
if (function_exists('random_bytes')) {
$_SESSION['h5p_token'] = base64_encode(random_bytes(15));
}
else if (function_exists('openssl_random_pseudo_bytes')) {
$_SESSION['h5p_token'] = base64_encode(openssl_random_pseudo_bytes(15));
}
else {
$_SESSION['h5p_token'] = uniqid('', TRUE);
}
}
// Create hash and return
return substr(hash('md5', $action . $time_factor . $_SESSION['h5p_token']), -16, 13);
}
/**
* Verify if the given token is valid for the given action.
*
@ -2818,9 +2835,12 @@ class H5PCore {
* @return boolean valid token
*/
public static function validToken($action, $token) {
// Get the timefactor
$time_factor = self::getTimeFactor();
return $token === substr(hash('md5', $action . $time_factor . $_SESSION['h5p_token']), -16, 13) || // Under 12 hours
$token === substr(hash('md5', $action . ($time_factor - 1) . $_SESSION['h5p_token']), -16, 13); // Between 12-24 hours
// Check token to see if it's valid
return $token === self::hashToken($action, $time_factor) || // Under 12 hours
$token === self::hashToken($action, $time_factor - 1); // Between 12-24 hours
}
/**