diff --git a/core/includes/bootstrap.inc b/core/includes/bootstrap.inc index 60b086a..ab61fc1 100644 --- a/core/includes/bootstrap.inc +++ b/core/includes/bootstrap.inc @@ -2295,12 +2295,12 @@ function _drupal_bootstrap_configuration() { // Initialize the configuration, including variables from settings.php. drupal_settings_initialize(); - // Activate the class loader. - drupal_classloader(); - // Make sure we are using the test database prefix in child Drupal sites. _drupal_initialize_db_test_prefix(); + // Activate the class loader. + drupal_classloader(); + // Load the procedural configuration system helper functions. require_once DRUPAL_ROOT . '/core/includes/config.inc'; @@ -2630,6 +2630,7 @@ function typed_data() { * HMAC and timestamp. */ function drupal_valid_test_ua($new_prefix = NULL) { + global $drupal_hash_salt; static $test_prefix; if (isset($new_prefix)) { @@ -2642,10 +2643,10 @@ function drupal_valid_test_ua($new_prefix = NULL) { if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/^(simpletest\d+);(.+);(.+);(.+)$/", $_SERVER['HTTP_USER_AGENT'], $matches)) { list(, $prefix, $time, $salt, $hmac) = $matches; $check_string = $prefix . ';' . $time . ';' . $salt; - // Use the salt from settings.php to create the HMAC key, since no services - // are available yet. The file properties add more entropy not easily - // accessible to others. - $key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__); + // We use the salt from settings.php to make the HMAC key, since + // the database is not yet initialized and we can't access any Drupal variables. + // The file properties add more entropy not easily accessible to others. + $key = $drupal_hash_salt . filectime(__FILE__) . fileinode(__FILE__); $time_diff = REQUEST_TIME - $time; // Since we are making a local request a 5 second time window is allowed, // and the HMAC must match. @@ -2663,13 +2664,14 @@ function drupal_valid_test_ua($new_prefix = NULL) { * Generates a user agent string with a HMAC and timestamp for simpletest. */ function drupal_generate_test_ua($prefix) { + global $drupal_hash_salt; static $key; if (!isset($key)) { - // Use the salt from settings.php to create the HMAC key, since no services - // are available yet. The file properties add more entropy not easily - // accessible to others. - $key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__); + // We use the salt from settings.php to make the HMAC key, since + // the database is not yet initialized and we can't access any Drupal variables. + // The file properties add more entropy not easily accessible to others. + $key = $drupal_hash_salt . filectime(__FILE__) . fileinode(__FILE__); } // Generate a moderately secure HMAC based on the database credentials. $salt = uniqid('', TRUE); @@ -3207,7 +3209,7 @@ function drupal_classloader($class_loader = NULL) { case 'apc': if (function_exists('apc_store')) { require_once DRUPAL_ROOT . '/core/vendor/symfony/class-loader/Symfony/Component/ClassLoader/ApcUniversalClassLoader.php'; - $loader = new ApcUniversalClassLoader('drupal.' . drupal_get_hash_salt()); + $loader = new ApcUniversalClassLoader('drupal.' . $GLOBALS['drupal_hash_salt']); break; } // Fall through to the default loader if APC was not loaded, so that the diff --git a/core/includes/common.inc b/core/includes/common.inc index f3d8f2c..abf5f71 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -4771,6 +4771,19 @@ function drupal_json_decode($var) { } /** + * Gets a salt useful for hardening against SQL injection. + * + * @return + * A salt based on information in settings.php, not in the database. + */ +function drupal_get_hash_salt() { + global $drupal_hash_salt, $databases; + // If the $drupal_hash_salt variable is empty, a hash of the serialized + // database credentials is used as a fallback salt. + return empty($drupal_hash_salt) ? hash('sha256', serialize($databases)) : $drupal_hash_salt; +} + +/** * Ensures the private key variable used to generate tokens is set. * * @return