mirror/php-htmlpurifier
1
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-07-12 02:06:18 +02:00
Code Issues Releases Wiki Activity

Properly use HMAC for secure munging.

Browse Source 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang
2013-09-13 21:16:50 -07:00
parent fac747bdbd
commit cf44f399f8
6 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
library/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt
View File

@ -11,7 +11,7 @@ DEFAULT: NULL
to check if a URI has passed through HTML Purifier with this line:
</p>
<pre>$checksum === sha1($secret_key . ':' . $url)</pre>
<pre>$checksum === hash_hmac("sha256", $url, $secret_key)</pre>
<p>
If the output is TRUE, the redirector script should accept the URI.

5
library/HTMLPurifier/URIFilter/Munge.php
View File

@ -47,6 +47,9 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
$this->parser = new HTMLPurifier_URIParser();
$this->doEmbed = $config->get('URI.MungeResources');
$this->secretKey = $config->get('URI.MungeSecretKey');
if ($this->secretKey && !function_exists('hash_hmac')) {
trigger_error("Cannot use %URI.MungeSecretKey without hash_hmac support.", E_USER_ERROR);
}
return true;
}
@ -104,7 +107,7 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
$this->replace['%p'] = $context->get('CurrentCSSProperty', true);
// not always available
if ($this->secretKey) {
$this->replace['%t'] = sha1($this->secretKey . ':' . $string);
$this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey);
}
}
}