Hash verification fails when CDN is used

Created on 15 July 2025, 20 days ago

Problem

hash verification uses the server-host variable instead of the drupal-base url

Steps to reproduce

see

  public function verifyHash(string $providedHash, int $timestamp, ?string $productionHost = NULL): bool {
...
    // Use $_SERVER['HTTP_HOST'] if production host not provided.
    $host = $productionHost ?? $_SERVER['HTTP_HOST'];
    $expectedHash = $this->generateVerificationHash($host, $timestamp);
    return hash_equals($expectedHash, $providedHash);
  }

Proposed resolution

use the same production host as used in the UI when determining whether the current environment is prod - that works!

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇦🇹Austria fago Vienna

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024