From b4355b4f025745ddb30fbe7f05fc2b7f74613de4 Mon Sep 17 00:00:00 2001 From: demeritcowboy Date: Sat, 12 Dec 2020 17:56:01 -0500 Subject: [PATCH] update comments --- CRM/Core/Key.php | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/CRM/Core/Key.php b/CRM/Core/Key.php index 505bd3588d..3e7826f2c7 100644 --- a/CRM/Core/Key.php +++ b/CRM/Core/Key.php @@ -89,7 +89,7 @@ class CRM_Core_Key { $key = self::sign($name); if ($addSequence) { - // now generate a random number between 1 and 100K and add it to the key + // now generate a random number between 1 and 10000 and add it to the key // so that we can have forms in mutiple tabs etc $key = $key . '_' . mt_rand(1, 10000); } @@ -129,11 +129,8 @@ class CRM_Core_Key { } /** - * The original version of this function, added circa 2010 and untouched - * since then, seemed intended to check for a 32-digit hex string followed - * optionally by an underscore and 4-digit number. But it had a bug where - * the optional part was never checked ever. So have decided to remove that - * second check to keep it simple since it seems like pseudo-security. + * Check that the key is well-formed. This does not check that the key is + * currently a key that is in use or belongs to a real form/session. * * @param string $key * @@ -141,7 +138,8 @@ class CRM_Core_Key { * TRUE if the signature ($key) is well-formed. */ public static function valid($key) { - // ensure that hash is a hex number (of expected length) + // ensure that key is an alphanumeric string of at least HASH_LENGTH with + // an optional underscore+digits at the end. return preg_match('#^[0-9a-zA-Z]{' . self::HASH_LENGTH . ',}+(_\d+)?$#', $key) ? TRUE : FALSE; } -- 2.25.1