Magento – Security Patch SUPEE-8788 – Problem hash_equals Encryption.php

magento-1.9

I applied the patch correctly, but trying to log (admin) in is giving the following error:

error_log:
PHP Fatal error: Call to undefined function hash_equals() in /app/code/core/Mage/Core/Model/Encryption.php on line 103

Encryption.php on line 103

/**
 * Validate hash against hashing method (with or without salt)
 *
 * @param string $password
 * @param string $hash
 * @return bool
 * @throws Exception
 */
public function validateHash($password, $hash)
{
    $hashArr = explode(':', $hash);
    switch (count($hashArr)) {
        case 1:
            return hash_equals($this->hash($password), $hash);
        case 2:
            return hash_equals($this->hash($hashArr[1] . $password),  $hashArr[0]);
    }
    Mage::throwException('Invalid hash.');
}

I use the following version:

PHP Version 5.3.29

Magento Version 1.9.2.4

I've already done what was suggested in this post, but the problem at the time of logging remains.

Security Patch SUPEE-8788 – Possible Problems?

Best Answer

Function hash_equals emerged in php from version 5.6. Look here http://php.net/manual/ru/function.hash-equals.php.

But this Patch SUPEE-8788 patched file app/code/core/Mage/Core/functions.php and add this code to the end of file for old versions of PHP :

if (!function_exists('hash_equals')) {
    /**
     * Compares two strings using the same time whether they're equal or not.
     * A difference in length will leak
     *
     * @param string $known_string
     * @param string $user_string
     * @return boolean Returns true when the two strings are equal, false otherwise.
     */
    function hash_equals($known_string, $user_string)
    {
        $result = 0;

        if (!is_string($known_string)) {
            trigger_error("hash_equals(): Expected known_string to be a string", E_USER_WARNING);
            return false;
        }

        if (!is_string($user_string)) {
            trigger_error("hash_equals(): Expected user_string to be a string", E_USER_WARNING);
            return false;
        }

        if (strlen($known_string) != strlen($user_string)) {
            return false;
        }

        for ($i = 0; $i < strlen($known_string); $i++) {
            $result |= (ord($known_string[$i]) ^ ord($user_string[$i]));
        }

        return 0 === $result;
    }
}

Please make sure, that patch was applied correctly and this file was patched.

Also check file app/etc/applied.patches.list and try to find there 'SUPEE-8788'

UPDATE:

Even if your patch was successful then it may mean that you have copied functions.php in app/code/local/Mage/Core.

You will have to insert that function there too because that file overwrites the core one.

So insert in app/code/local/Mage/Core/functions.php at the end.

Related Topic