From 5a52d2c009ed2bb4f194e92da2cbe8458368f68e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Tim=20D=C3=BCsterhus?= Date: Wed, 10 Aug 2022 12:03:40 +0200 Subject: [PATCH] Use `Hex::encode()` in PackageInstallationDispatcher This must be safe at this point, because WCFSetup relies on composer's autoloader to work. --- .../package/PackageInstallationDispatcher.class.php | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php index baa56129f9..f16cd1cef6 100644 --- a/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php +++ b/wcfsetup/install/files/lib/system/package/PackageInstallationDispatcher.class.php @@ -2,6 +2,7 @@ namespace wcf\system\package; +use ParagonIE\ConstantTime\Hex; use wcf\data\application\Application; use wcf\data\application\ApplicationEditor; use wcf\data\devtools\project\DevtoolsProjectAction; @@ -222,21 +223,17 @@ class PackageInstallationDispatcher } $statement->execute([ - // We do not use the cache-timing safe class Hex, because we run the - // function during the setup. - $signatureSecret = \bin2hex(\random_bytes(20)), + $signatureSecret = Hex::encode(\random_bytes(20)), 'signature_secret', ]); \define('SIGNATURE_SECRET', $signatureSecret); HeaderUtil::setCookie( 'user_session', - // We do not use the cache-timing safe class Hex, because we run the - // function during the setup. CryptoUtil::createSignedString( \pack( 'CA20C', 1, - \hex2bin(WCF::getSession()->sessionID), + Hex::encode(WCF::getSession()->sessionID), 0 ) ) -- 2.20.1