Posted by karlosgliberal on April 4, 2008 at 12:39pm
Jump to:
| Project: | Update status aggregator |
| Version: | 5.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Issue Summary
Hello
I have installed on the same server multiple drupal. When set update_status_notifier, generates MD5sum to me is the same for different site. This causes the update_notifier_server not differentiate.
To generate the MD5sum used this:
$ Pack [ 'key'] = md5 (variable_get ( 'drupal_private_key', 0));
This can be a possible solution
$ Pack [ 'key'] = md5 (variable_get ( 'site_name', 0). Drupal_get_private_key ());
Thank you for your work
I attach sample patch
| Attachment | Size |
|---|---|
| update_status_notifier.patch | 1.1 KB |
Comments
#1
Thanks for your feedback. This problem is very strange because each drupal_private_key should be unique. Do your multiple drupal installations share the same database ?
#2
In my opinion, this bug is not related to update_status_aggregator. If it is even remotely possible to have collisions between two such hashes between two different sites, then there's a security issue in the Drupal core itself. And I doubt that, considering how the key is generated in 5.x:
$key = md5(uniqid(mt_rand(), true)) . md5(uniqid(mt_rand(), true));