Merge pull request #19211 from eileenmcnaughton/form_move

[civicrm-core.git] / CRM / Core / Key.php

diff --git a/CRM/Core/Key.php b/CRM/Core/Key.php
index 505bd3588d5e441b78a1bf84d99b00c3b81c3b86..3e7826f2c7172ae2691330defc261b5606da096a 100644 (file)
--- a/CRM/Core/Key.php
+++ b/CRM/Core/Key.php
@@ -89,7 +89,7 @@ class CRM_Core_Key {
     $key = self::sign($name);
 
     if ($addSequence) {
-      // now generate a random number between 1 and 100K and add it to the key
+      // now generate a random number between 1 and 10000 and add it to the key
       // so that we can have forms in mutiple tabs etc
       $key = $key . '_' . mt_rand(1, 10000);
     }
@@ -129,11 +129,8 @@ class CRM_Core_Key {
   }
 
   /**
-   * The original version of this function, added circa 2010 and untouched
-   * since then, seemed intended to check for a 32-digit hex string followed
-   * optionally by an underscore and 4-digit number. But it had a bug where
-   * the optional part was never checked ever. So have decided to remove that
-   * second check to keep it simple since it seems like pseudo-security.
+   * Check that the key is well-formed. This does not check that the key is
+   * currently a key that is in use or belongs to a real form/session.
    *
    * @param string $key
    *
@@ -141,7 +138,8 @@ class CRM_Core_Key {
    *   TRUE if the signature ($key) is well-formed.
    */
   public static function valid($key) {
-    // ensure that hash is a hex number (of expected length)
+    // ensure that key is an alphanumeric string of at least HASH_LENGTH with
+    // an optional underscore+digits at the end.
     return preg_match('#^[0-9a-zA-Z]{' . self::HASH_LENGTH . ',}+(_\d+)?$#', $key) ? TRUE : FALSE;
   }