Change to safer hash methods.

2024-12-25 16:31:15 -06:00 · 2020-04-11 06:42:21 +02:00 · 2020-04-11 06:42:21 +02:00 · 6829003f5e
commit 6829003f5e
parent 91deb22a3f
8 changed files with 15 additions and 12 deletions
--- a/app/Handlers/Events/UserEventHandler.php
+++ b/app/Handlers/Events/UserEventHandler.php
@ -165,7 +165,8 @@ class UserEventHandler
        $user      = $event->user;
        $ipAddress = $event->ipAddress;
        $token     = app('preferences')->getForUser($user, 'email_change_undo_token', 'invalid');
-        $uri       = route('profile.undo-email-change', [$token->data, hash('sha256', $oldEmail)]);
+        $hashed    = hash('sha256', sprintf('%s%s', (string) config('app.key'), $oldEmail));
+        $uri       = route('profile.undo-email-change', [$token->data,$hashed]);
        try {
            Mail::to($oldEmail)->send(new UndoEmailChangeMail($newEmail, $oldEmail, $uri, $ipAddress));
            // @codeCoverageIgnoreStart
--- a/app/Http/Controllers/JavascriptController.php
+++ b/app/Http/Controllers/JavascriptController.php
@ -126,7 +126,7 @@ class JavascriptController extends Controller
        /** @noinspection NullPointerExceptionInspection */
        $lang      = $pref->data;
        $dateRange = $this->getDateRangeConfig();
-        $uid       = substr(hash('sha256', auth()->user()->id . auth()->user()->email), 0, 12);
+        $uid       = substr(hash('sha256', sprintf('%s-%s-%s', (string) config('app.key'), auth()->user()->id, auth()->user()->email)), 0, 12);

        $data = [
            'currencyCode'    => $currency->code,
--- a/app/Http/Controllers/ProfileController.php
+++ b/app/Http/Controllers/ProfileController.php
@ -555,7 +555,7 @@ class ProfileController extends Controller
        /** @var string $match */
        $match = null;
        foreach ($set as $entry) {
-            $hashed = hash('sha256', $entry->data);
+            $hashed = hash('sha256', sprintf('%s%s', (string) config('app.key'), $entry->data));
            if ($hashed === $hash) {
                $match = $entry->data;
                break;
--- a/app/Repositories/ImportJob/ImportJobRepository.php
+++ b/app/Repositories/ImportJob/ImportJobRepository.php
@ -384,7 +384,7 @@ class ImportJobRepository implements ImportJobRepositoryInterface
        $attachment = new Attachment; // create Attachment object.
        $attachment->user()->associate($job->user);
        $attachment->attachable()->associate($job);
-        $attachment->md5      = md5($content);
+        $attachment->md5      = substr(hash('sha256', $content), 0, 32); // limit due to DB.
        $attachment->filename = $name;
        $attachment->mime     = 'plain/txt';
        $attachment->size     = strlen($content);
--- a/app/Services/Password/PwndVerifierV2.php
+++ b/app/Services/Password/PwndVerifierV2.php
@ -58,8 +58,11 @@ class PwndVerifierV2 implements Verifier
        $rest   = substr($hash, 5);
        $uri    = sprintf('https://api.pwnedpasswords.com/range/%s', $prefix);
        $opt    = [
-            'headers' => ['User-Agent' => 'Firefly III v' . config('firefly.version')],
-            'timeout' => 5];
+            'headers' => [
+                'User-Agent' => 'Firefly III v' . config('firefly.version'),
+                'Add-Padding' => 'true',
+            ],
+            'timeout' => 3.1415];

        Log::debug(sprintf('hash prefix is %s', $prefix));
        Log::debug(sprintf('rest is %s', $rest));
@ -87,7 +90,7 @@ class PwndVerifierV2 implements Verifier

            return true;
        }
-        Log::debug(sprintf('Could not find %s, return FALSE.', $rest));
+        Log::debug(sprintf('Found %s, return FALSE.', $rest));

        return false;
    }
--- a/app/Support/CacheProperties.php
+++ b/app/Support/CacheProperties.php
@ -101,8 +101,8 @@ class CacheProperties
    {
        $content = '';
        foreach ($this->properties as $property) {
-            $content .= json_encode($property);
+            $content .= json_encode($property, JSON_THROW_ON_ERROR, 512);
        }
-        $this->hash = substr(sha1($content), 0, 16);
+        $this->hash = substr(hash('sha256', $content), 0, 16);
    }
 }
--- a/app/Support/Preferences.php
+++ b/app/Support/Preferences.php
@ -26,7 +26,6 @@ use Cache;
 use Exception;
 use FireflyIII\Models\Preference;
 use FireflyIII\User;
-use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Support\Collection;
 use Log;
 use Session;
@ -200,7 +199,7 @@ class Preferences
            $lastActivity = implode(',', $lastActivity);
        }

-        return md5($lastActivity);
+        return hash('sha256', $lastActivity);
    }

    /**
--- a/database/migrations/2016_06_16_000002_create_main_tables.php
+++ b/database/migrations/2016_06_16_000002_create_main_tables.php
@ -133,7 +133,7 @@ class CreateMainTables extends Migration
                    $table->integer('user_id', false, true);
                    $table->integer('attachable_id', false, true);
                    $table->string('attachable_type', 255);
-                    $table->string('md5', 32);
+                    $table->string('md5', 128);
                    $table->string('filename', 1024);
                    $table->string('title', 1024)->nullable();
                    $table->text('description')->nullable();