From fe29214001f83cc3025deaa39b59c4ccdce5d13c Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Sat, 15 Jun 2024 12:13:47 +0200
Subject: [PATCH] Remove the additional secret for files

It serves no real purpose. Guessing the SHA-256 hash is impossible due to entropy and if you *know* the hash then you pretty much know the file contents too.

There is no imaginable scenario where leaking the hash would not also leak the secret.
---
 .../install/files/acp/database/update_com.woltlab.wcf_6.1.php | 3 ---
 wcfsetup/install/files/lib/data/file/File.class.php           | 4 +---
 wcfsetup/install/files/lib/data/file/FileEditor.class.php     | 2 --
 .../files/lib/system/file/processor/FileProcessor.class.php   | 1 -
 wcfsetup/setup/db/install.sql                                 | 1 -
 5 files changed, 1 insertion(+), 10 deletions(-)

diff --git a/wcfsetup/install/files/acp/database/update_com.woltlab.wcf_6.1.php b/wcfsetup/install/files/acp/database/update_com.woltlab.wcf_6.1.php
index e29c71c67b..25da965f87 100644
--- a/wcfsetup/install/files/acp/database/update_com.woltlab.wcf_6.1.php
+++ b/wcfsetup/install/files/acp/database/update_com.woltlab.wcf_6.1.php
@@ -73,9 +73,6 @@ return [
             VarcharDatabaseTableColumn::create('fileExtension')
                 ->length(10)
                 ->notNull(),
-            CharDatabaseTableColumn::create('secret')
-                ->length(32)
-                ->notNull(),
             IntDatabaseTableColumn::create('objectTypeID'),
             NotNullVarchar255DatabaseTableColumn::create('mimeType'),
             IntDatabaseTableColumn::create('width'),
diff --git a/wcfsetup/install/files/lib/data/file/File.class.php b/wcfsetup/install/files/lib/data/file/File.class.php
index 3802717fab..a59c46fea0 100644
--- a/wcfsetup/install/files/lib/data/file/File.class.php
+++ b/wcfsetup/install/files/lib/data/file/File.class.php
@@ -23,7 +23,6 @@ use wcf\util\StringUtil;
  * @property-read int $fileSize
  * @property-read string $fileHash
  * @property-read string $fileExtension
- * @property-read string $secret
  * @property-read int|null $objectTypeID
  * @property-read string $mimeType
  * @property-read int|null $width
@@ -65,10 +64,9 @@ class File extends DatabaseObject
     public function getSourceFilename(): string
     {
         return \sprintf(
-            '%d-%s-%s.%s',
+            '%d-%s.%s',
             $this->fileID,
             $this->fileHash,
-            $this->secret,
             $this->fileExtension,
         );
     }
diff --git a/wcfsetup/install/files/lib/data/file/FileEditor.class.php b/wcfsetup/install/files/lib/data/file/FileEditor.class.php
index 611aae7010..2b860602c2 100644
--- a/wcfsetup/install/files/lib/data/file/FileEditor.class.php
+++ b/wcfsetup/install/files/lib/data/file/FileEditor.class.php
@@ -82,7 +82,6 @@ class FileEditor extends DatabaseObjectEditor
             'fileSize' => $fileTemporary->fileSize,
             'fileHash' => $fileTemporary->fileHash,
             'fileExtension' => File::getSafeFileExtension($mimeType, $fileTemporary->filename),
-            'secret' => \bin2hex(\random_bytes(16)),
             'objectTypeID' => $fileTemporary->objectTypeID,
             'mimeType' => $mimeType,
             'width' => $width,
@@ -137,7 +136,6 @@ class FileEditor extends DatabaseObjectEditor
             'fileSize' => \filesize($pathname),
             'fileHash' => \hash_file('sha256', $pathname),
             'fileExtension' => File::getSafeFileExtension($mimeType, $originalFilename),
-            'secret' => \bin2hex(\random_bytes(16)),
             'objectTypeID' => $objectType->objectTypeID,
             'mimeType' => $mimeType,
             'width' => $width,
diff --git a/wcfsetup/install/files/lib/system/file/processor/FileProcessor.class.php b/wcfsetup/install/files/lib/system/file/processor/FileProcessor.class.php
index 0255fb5ab6..d4a4f099fe 100644
--- a/wcfsetup/install/files/lib/system/file/processor/FileProcessor.class.php
+++ b/wcfsetup/install/files/lib/system/file/processor/FileProcessor.class.php
@@ -297,7 +297,6 @@ final class FileProcessor extends SingletonFactory
             'fileSize' => $oldFile->fileSize,
             'fileHash' => $oldFile->fileHash,
             'fileExtension' => $oldFile->fileExtension,
-            'secret' => \hex2bin(\random_bytes(10)),
             'objectTypeID' => $objectTypeObj->objectTypeID,
             'mimeType' => $oldFile->mimeType,
             'width' => $oldFile->width,
diff --git a/wcfsetup/setup/db/install.sql b/wcfsetup/setup/db/install.sql
index 727af3850e..35b40e4f22 100644
--- a/wcfsetup/setup/db/install.sql
+++ b/wcfsetup/setup/db/install.sql
@@ -605,7 +605,6 @@ CREATE TABLE wcf1_file (
 	fileSize BIGINT NOT NULL,
 	fileHash CHAR(64) NOT NULL,
 	fileExtension VARCHAR(10) NOT NULL,
-	secret CHAR(32) NOT NULL,
 	objectTypeID INT,
 	mimeType VARCHAR(255) NOT NULL,
 	width INT,
-- 
2.20.1