From a3748864255c7ea603ab06f05563ef125992eb7d Mon Sep 17 00:00:00 2001 From: Nick Liu Date: Sun, 23 Sep 2018 15:32:57 -0500 Subject: [PATCH] =?UTF-8?q?Fixes=20#3437=20=E2=80=93=20e=5Fform::inlineTok?= =?UTF-8?q?en()=20performance?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This "inline token" is generated 30 times in my test, but it's the same session_id() being hashed. This is wasteful and can be mitigated in two ways: * Reducing the time cost like so: return password_hash(session_id(), PASSWORD_DEFAULT, ['cost' => 04]); * Storing the hash as an instance variable the first time it's generated This commit applies both mitigations. --- e107_handlers/form_handler.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/e107_handlers/form_handler.php b/e107_handlers/form_handler.php index 0929afa2d..1a83cd3bb 100644 --- a/e107_handlers/form_handler.php +++ b/e107_handlers/form_handler.php @@ -67,7 +67,7 @@ class e_form protected $_tabindex_enabled = true; protected $_cached_attributes = array(); protected $_field_warnings = array(); - + protected $_inline_token = null; /** * @var user_class @@ -4420,7 +4420,9 @@ class e_form */ private function inlineToken() { - return password_hash(session_id(), PASSWORD_DEFAULT); + $this->_inline_token = $this->_inline_token ?: + password_hash(session_id(), PASSWORD_DEFAULT, ['cost' => 04]); + return $this->_inline_token; } /**