diff options
| author | Louis Chemineau <louis@chmn.me> | 2024-08-28 17:03:53 +0200 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2024-09-05 15:57:28 +0000 |
| commit | 1362dbda22f174c16099bccf248ee2de40cd8740 (patch) | |
| tree | a11d3d0d30fc757fa89767321320de07851604c9 /lib/private/BackgroundJob | |
| parent | 473c9d82490a31c4298aedca8d56682e862e11c8 (diff) | |
| download | nextcloud-server-1362dbda22f174c16099bccf248ee2de40cd8740.tar.gz nextcloud-server-1362dbda22f174c16099bccf248ee2de40cd8740.zip | |
fix: Use sha256 to hash arguments of background jobs
This is to prevent collision as we are sometime hashing user input, yet using that hash to target the background job in the database.
Signed-off-by: Louis Chemineau <louis@chmn.me>
Diffstat (limited to 'lib/private/BackgroundJob')
| -rw-r--r-- | lib/private/BackgroundJob/JobList.php | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/private/BackgroundJob/JobList.php b/lib/private/BackgroundJob/JobList.php index 37fa65797c2..b442c2c3e93 100644 --- a/lib/private/BackgroundJob/JobList.php +++ b/lib/private/BackgroundJob/JobList.php @@ -43,7 +43,6 @@ use OCP\IDBConnection; use Psr\Log\LoggerInterface; use function get_class; use function json_encode; -use function md5; use function strlen; class JobList implements IJobList { @@ -73,7 +72,7 @@ class JobList implements IJobList { ->values([ 'class' => $query->createNamedParameter($class), 'argument' => $query->createNamedParameter($argumentJson), - 'argument_hash' => $query->createNamedParameter(md5($argumentJson)), + 'argument_hash' => $query->createNamedParameter(hash('sha256', $argumentJson)), 'last_run' => $query->createNamedParameter(0, IQueryBuilder::PARAM_INT), 'last_checked' => $query->createNamedParameter($firstCheck, IQueryBuilder::PARAM_INT), ]); @@ -83,7 +82,7 @@ class JobList implements IJobList { ->set('last_checked', $query->createNamedParameter($firstCheck, IQueryBuilder::PARAM_INT)) ->set('last_run', $query->createNamedParameter(0, IQueryBuilder::PARAM_INT)) ->where($query->expr()->eq('class', $query->createNamedParameter($class))) - ->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(md5($argumentJson)))); + ->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(hash('sha256', $argumentJson)))); } $query->executeStatement(); } @@ -104,7 +103,7 @@ class JobList implements IJobList { ->where($query->expr()->eq('class', $query->createNamedParameter($class))); if (!is_null($argument)) { $argumentJson = json_encode($argument); - $query->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(md5($argumentJson)))); + $query->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(hash('sha256', $argumentJson)))); } // Add galera safe delete chunking if using mysql @@ -145,7 +144,7 @@ class JobList implements IJobList { $query->select('id') ->from('jobs') ->where($query->expr()->eq('class', $query->createNamedParameter($class))) - ->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(md5($argument)))) + ->andWhere($query->expr()->eq('argument_hash', $query->createNamedParameter(hash('sha256', $argument)))) ->setMaxResults(1); $result = $query->executeQuery(); |