typo3-rector icon indicating copy to clipboard operation
typo3-rector copied to clipboard

Published 20 hours ago verified publisher icon sabbelasichon

Deprecation: #102763 - Extbase HashService

Open simonschaufi opened this issue 6 months ago • 0 comments

Deprecation: #102763 - Extbase HashService

https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/13.0/Deprecation-102763-ExtbaseHashService.html

Deprecation: #102763 - Extbase HashService

See 102763

Description

Internal class \TYPO3\CMS\Extbase\Security\Cryptography\HashService is deprecated in favor of \TYPO3\CMS\Core\Crypto\HashService, which requires an additional secret to prevent re-using generated hashes in different contexts.

Impact

Using class \TYPO3\CMS\Extbase\Security\Cryptography\HashService will trigger a PHP deprecation warning.

Affected installations

TYPO3 installations with custom extensions using \TYPO3\CMS\Extbase\Security\Cryptography\HashService.

Migration

Class \TYPO3\CMS\Core\Crypto\HashService must be used to migrate.

Before

$hashService = new \TYPO3\CMS\Extbase\Security\Cryptography\HashService();

$generatedHash = $hashService->generateHmac('123');
$isValidHash = $hashService->validateHmac('123', $generatedHash);

$stringWithAppendedHash = $hashService->appendHmac('123');
$validatedStringWithHashRemoved = $hashService->validateAndStripHmac($stringWithAppendedHash);

After

$hashService = new \TYPO3\CMS\Core\Crypto\HashService();

$generatedHash = $hashService->hmac('123', 'myAdditionalSecret');
$isValidHash = $hashService->validateHmac('123', 'myAdditionalSecret', $generatedHash);

$stringWithAppendedHash = $hashService->appendHmac('123', 'myAdditionalSecret');
$validatedStringWithHashRemoved = $hashService->validateAndStripHmac($stringWithAppendedHash, 'myAdditionalSecret');

Note, $additionalSecret string must be unique per context, so hashes for the same input are different depending on scope.

PHP-API, FullyScanned, ext:extbase

simonschaufi avatar Feb 12 '24 19:02 simonschaufi