From b68895ad8bf8892e4d7f1161747e1dc38c6e8927 Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Tue, 5 Feb 2019 08:48:25 +1100
Subject: [PATCH] Switch to Sha256 and add in a ttl

Further WHIP fixing hmac implementation now need to get it generating consistant hashes

Remove debugging
---
 CRM/Core/BAO/File.php  | 12 ++++++++++--
 CRM/Core/Page/File.php | 15 ++++++++++++---
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/CRM/Core/BAO/File.php b/CRM/Core/BAO/File.php
index d02ec078ce..a1aba72106 100644
--- a/CRM/Core/BAO/File.php
+++ b/CRM/Core/BAO/File.php
@@ -773,12 +773,20 @@ AND       CEF.entity_id    = %2";
    * @param int $fid file ID
    * @return string
    */
-  public static function generateFileHash($eid = NULL, $fid = NULL) {
+  public static function generateFileHash($eid = NULL, $fid = NULL, $genTs = NULL, $life = NULL) {
     // Use multiple (but stable) inputs for hash information.
     $siteKey = defined('CIVICRM_SITE_KEY') ? CIVICRM_SITE_KEY : 'NO_SITE_KEY';
+
+    if (!$genTs) {
+      $genTs = time();
+    }
+    if (!$life) {
+      $life = 24 * 2;
+    }
     // Trim 8 chars off the string, make it slightly easier to find
     // but reveals less information from the hash.
-    return substr(md5("{$siteKey}_{$eid}_{$fid}"), 8);
+    $cs = hash_hmac('sha256', "{$fid}_{$life}", $siteKey);
+    return "{$cs}_{$genTs}_{$life}";
   }
 
 }
diff --git a/CRM/Core/Page/File.php b/CRM/Core/Page/File.php
index 06ec2da66e..3f0e894193 100644
--- a/CRM/Core/Page/File.php
+++ b/CRM/Core/Page/File.php
@@ -92,9 +92,18 @@ class CRM_Core_Page_File extends CRM_Core_Page {
    * @return bool
    */
   public static function validateFileHash($hash, $eid, $fid) {
-    $testHash = CRM_Core_BAO_File::generateFileHash($eid, $fid);
-    if ($testHash == $hash) {
-      return TRUE;
+    $input = CRM_Utils_System::explode('_', $hash, 3);
+    $inputTs = CRM_Utils_Array::value(1, $input);
+    $inputLF = CRM_Utils_Array::value(2, $input);
+    $testHash = CRM_Core_BAO_File::generateFileHash($eid, $fid, $inputTs, $inputLF);
+    if (hash_equals($testHash, $hash)) {
+      $now = time();
+      if ($inputTs + ($inputLF * 60 * 60) >= $now) {
+        return TRUE;
+      }
+      else {
+        return FALSE;
+      }
     }
     return FALSE;
   }
-- 
2.25.1