diff options
| author | Louis Chemineau <louis@chmn.me> | 2024-08-28 17:03:53 +0200 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2024-09-05 15:58:45 +0000 |
| commit | 94d307c3312a1b149f9c85f941ec54a2d4129ddb (patch) | |
| tree | 8323563350590a1874e2dfff1aee0a3ddb1df8e5 | |
| parent | 83e6649cfa502dcad5d9a65c2691b504abcbed09 (diff) | |
| download | nextcloud-server-94d307c3312a1b149f9c85f941ec54a2d4129ddb.tar.gz nextcloud-server-94d307c3312a1b149f9c85f941ec54a2d4129ddb.zip | |
fix: Use sha256 to hash arguments of background jobs
This is to prevent collision as we are sometime hashing user input, yet using that hash to target the background job in the database.
Signed-off-by: Louis Chemineau <louis@chmn.me>
| -rw-r--r-- | lib/private/BackgroundJob/JobList.php | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/private/BackgroundJob/JobList.php b/lib/private/BackgroundJob/JobList.php index 3978ae635f7..55051636a7e 100644 --- a/lib/private/BackgroundJob/JobList.php +++ b/lib/private/BackgroundJob/JobList.php @@ -20,7 +20,6 @@ use OCP\IDBConnection; use Psr\Log\LoggerInterface; use function get_class; use function json_encode; -use function md5; use function strlen; class JobList implements IJobList { @@ -50,7 +49,7 @@ class JobList implements IJobList { ->values([ 'class' => $query->createNamedParameter($class), 'argument' => $query->createNamedParameter($argumentJson), - 'argument_hash' => $query->createNamedParameter(md5($argumentJson)), + 'argument_hash' => $query->createNamedParameter(hash('sha256', $argumentJson)), 'last_run' => $query->createNamedParameter(0, IQueryBuilder::PARAM_INT), 'last_checked' => $query->createNamedParameter($firstCheck, IQueryBuilder::PARAM_INT), ]); @@ -60,7 +59,7 @@ class JobList implements IJobList { ->set('last_checked', $query->createNamedParameter($firstCheck, IQueryBuilder::PARAM_INT)) ->set('last_run', $query->createNamedParameter(0, IQueryBuilder::PARAM_INT)) ->where($query->expr()->eq('class', $query->createNamedParameter($class))) - ->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(md5($argumentJson)))); + ->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(hash('sha256', $argumentJson)))); } $query->executeStatement(); } @@ -81,7 +80,7 @@ class JobList implements IJobList { ->where($query->expr()->eq('class', $query->createNamedParameter($class))); if (!is_null($argument)) { $argumentJson = json_encode($argument); - $query->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(md5($argumentJson)))); + $query->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(hash('sha256', $argumentJson)))); } // Add galera safe delete chunking if using mysql @@ -122,7 +121,7 @@ class JobList implements IJobList { $query->select('id') ->from('jobs') ->where($query->expr()->eq('class', $query->createNamedParameter($class))) - ->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(md5($argument)))) + ->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(hash('sha256', $argument)))) ->setMaxResults(1); $result = $query->executeQuery(); |