Welcome! » Log In » Create A New Profile

Documentation of URI.MungeSecretKey

Posted by AbcAeffchen 
AbcAeffchen
Documentation of URI.MungeSecretKey
April 20, 2014 06:11PM

Hi,

Today I have downloaded and installed HTMLpurifier (standalone). I use the URI.MungeSecretKey setting. In the documentation of this is written that i have to check the checksum with this code:

$checksum === sha1($secret_key . ':' . $url)

But I think this have changed some time ago, cause this didn't work for me. I checkt the code and found at line 21230 of the HTMLPurifier.standalone.php this:

hash_hmac("sha256", $string, $this->secretKey);

So one have to check the checksum like this:

$checksum === hash_hmac("sha256", $url, $secret_key)

insted of the above version. I tested this and it works fine.

Maybe this prevents somebody from getting crazy about checking the checksum :)

Re: Documentation of URI.MungeSecretKey
April 20, 2014 08:09PM

Yes, you're right; the previous hashing scheme was insecure so we had to switch to HMAC, and the docs lagged. Should be up-to-date now.

Sorry, you do not have permission to post/reply in this forum.