Fork me on GitHub
Subscribe 2

Ticket #285 (fixed bug)

Issue with 'forum_hmac' function in PHP 4

  • Created: 2011-02-11 04:40:51
  • Reported by: Mpok
  • Assigned to: Reines
  • Milestone: 1.4.5
  • Component: code
  • Priority: high

The new 'forum_hmac' function provides a fallback for PHP < 5.1.2 (for the hash_hmac function).

BUT the code uses 3 times the sha1 function with 2 parameters ("sha1(param1, param2)"). This second parameter was added only in PHP 5.0.0, so with PHP < 5.0.0, the sha1 function fails and no identification is possible

To fix it : just remove the second parameter every time sha1 is used.

i.e. the last line should be :

return sha1($hmac_opad.sha1($hmac_ipad.$data));


Mpok 2011-02-11 04:43:39

  • Component set to code.

Reines 2011-02-11 11:08:37

  • Milestone set to 1.4.5.
  • Owner set to Reines.

Removing the second parameter isn't necessarily the correct solution, a hmac is meant to use raw sha1 output not the hexadecimal output. It will need a combination of sha1 and pack.

Reines 2011-02-11 16:32:51

Commit bb44b90 to fluxbb master

The second parameter for sha1() wasn't added until PHP 5, so we need to manually pack the result. Spotted by Mpok. #285

Reines 2011-02-11 16:35:46

  • Status changed from open to fixed.

This should be sorted now, could you give it a test by any chance? I don't have PHP4 available anywhere and it isn't in the Ubuntu repositories anymore.

Mpok 2011-02-11 21:44:37

Yep, it works.

Reines 2011-02-11 21:46:43