[TASK] Use GU::hmac() instead of encryption key in FileWriter 37/41937/4
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Fri, 24 Jul 2015 16:32:04 +0000 (18:32 +0200)
committerHelmut Hummel <helmut.hummel@typo3.org>
Fri, 24 Jul 2015 17:03:46 +0000 (19:03 +0200)
commit4839da3aeeae0129e564a712b4b516a26915296d
treee979b2202bcbfd5740de98cd86192c231789c129
parent97949799ac7477ba69fc6ca5790219744d536014
[TASK] Use GU::hmac() instead of encryption key in FileWriter

There is a potential attack to get hold of a secret encryption key
if such key is hashed with a single hash function and a small additional
string. So if you want to include the encryption key in an hash, you need
to *ALWAYS* use GeneralUtility::hmac() and not any different hash function.

Additionally, don't mention AdditionalConfiguration as place for config
manipulation, as it is considered a hack from core point of view
(see comment #52705).

Change-Id: I8c3a5c11222251acfe86da1c17e7934998858000
Resolves: #68521
Relates: #52705
Releases: master
Reviewed-on: http://review.typo3.org/41937
Reviewed-by: Alexander Stehlik <alexander.stehlik@gmail.com>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
typo3/sysext/core/Classes/Log/Writer/FileWriter.php
typo3/sysext/core/Documentation/Changelog/master/Breaking-52705-DefaultLogConfigurationIsChanged.rst