From 49b215d2ec99689f13f5174745cb0d90d2ad8ac5 Mon Sep 17 00:00:00 2001
From: demeritcowboy <demeritcowboy@hotmail.com>
Date: Thu, 30 Jul 2020 16:57:04 -0400
Subject: [PATCH] remove dubious code that never runs

---
 CRM/Core/Key.php | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/CRM/Core/Key.php b/CRM/Core/Key.php
index 637a3a6147..3e4ee1235b 100644
--- a/CRM/Core/Key.php
+++ b/CRM/Core/Key.php
@@ -110,30 +110,19 @@ class CRM_Core_Key {
   }
 
   /**
-   * @param $key
+   * The original version of this function, added circa 2010 and untouched
+   * since then, seemed intended to check for a 32-digit hex string followed
+   * optionally by an underscore and 4-digit number. But it had a bug where
+   * the optional part was never checked ever. So have decided to remove that
+   * second check to keep it simple since it seems like pseudo-security.
+   *
+   * @param string $key
    *
    * @return bool
    */
   public static function valid($key) {
-    // a valid key is a 32 digit hex number
-    // followed by an optional _ and a number between 1 and 10000
-    if (strpos('_', $key) !== FALSE) {
-      list($hash, $seq) = explode('_', $key);
-
-      // ensure seq is between 1 and 10000
-      if (!is_numeric($seq) ||
-        $seq < 1 ||
-        $seq > 10000
-      ) {
-        return FALSE;
-      }
-    }
-    else {
-      $hash = $key;
-    }
-
-    // ensure that hash is a 32 digit hex number
-    return (bool) preg_match('#[0-9a-f]{32}#i', $hash);
+    // ensure that key contains a 32 digit hex string
+    return (bool) preg_match('#[0-9a-f]{32}#i', $key);
   }
 
 }
-- 
2.25.1