Hello

I have installed on the same server multiple drupal. When set update_status_notifier, generates MD5sum to me is the same for different site. This causes the update_notifier_server not differentiate.

To generate the MD5sum used this:

$ Pack [ 'key'] = md5 (variable_get ( 'drupal_private_key', 0));

This can be a possible solution

$ Pack [ 'key'] = md5 (variable_get ( 'site_name', 0). Drupal_get_private_key ());

Thank you for your work

I attach sample patch

CommentFileSizeAuthor
update_status_notifier.patch1.1 KBkarlosgliberal

Comments

yrocq’s picture

Thanks for your feedback. This problem is very strange because each drupal_private_key should be unique. Do your multiple drupal installations share the same database ?

anarcat’s picture

Status: Patch (to be ported) » Postponed (maintainer needs more info)

In my opinion, this bug is not related to update_status_aggregator. If it is even remotely possible to have collisions between two such hashes between two different sites, then there's a security issue in the Drupal core itself. And I doubt that, considering how the key is generated in 5.x:

    $key = md5(uniqid(mt_rand(), true)) . md5(uniqid(mt_rand(), true));