1
0
mirror of https://github.com/vichan-devel/vichan.git synced 2024-11-12 01:50:48 +01:00

Fix #284 for new installations _only_

Users with existing installations are still required to follow the
advice in security bulletin #284.

This commit isn't perfect -- PHP installations below 7.0 and w/o OpenSSL
cannot be fully secured in my estimation. . .
This commit is contained in:
Fredrick Brennan 2018-01-29 18:19:16 +08:00
parent 6ae0f45c31
commit 693fa1bdfa

View File

@ -2,11 +2,51 @@
// Installation/upgrade file
define('VERSION', '5.1.4');
require 'inc/functions.php';
loadConfig();
// Salt generators
class SaltGen {
public $salt_length = 128;
// Best function I could think of for non-SSL PHP 5
private function generate_install_salt() {
$ret = "";
// This is bad! But what else can we do sans OpenSSL?
for ($i = 0; $i < $this->salt_length; ++$i) {
$s = pack("c", mt_rand(0,255));
$ret = $ret . $s;
}
return base64_encode($ret);
}
// Best function of the lot. Works with any PHP version as long as OpenSSL extension is on
private function generate_install_salt_openssl() {
$ret = openssl_random_pseudo_bytes($this->salt_length, $strong);
if (!$strong) {
error(_("Misconfigured system: OpenSSL returning weak salts. Cannot continue."));
}
return base64_encode($ret);
}
private function generate_install_salt_php7() {
return base64_encode(random_bytes($this->salt_length));
}
// TODO: Perhaps add mcrypt as an option? Maybe overkill.
public function generate() {
if (extension_loaded('openssl')) {
return "OSSL." . $this->generate_install_salt_openssl();
} else if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7) {
return "PHP7." . $this->generate_install_salt_php7();
} else {
return "INSECURE." . $this->generate_install_salt();
}
}
}
$step = isset($_GET['step']) ? round($_GET['step']) : 0;
$page = array(
'config' => $config,
@ -679,6 +719,10 @@ if ($step == 0) {
'Imagick' => array(
'installed' => extension_loaded('imagick'),
'required' => false
),
'OpenSSL' => array(
'installed' => extension_loaded('openssl'),
'required' => false
)
);
@ -704,6 +748,13 @@ if ($step == 0) {
'required' => true,
'message' => 'You must install the PHP <a href="http://www.php.net/manual/en/mbstring.installation.php">mbstring</a> extension.',
),
array(
'category' => 'PHP',
'name' => 'OpenSSL extension installed or PHP &ge; 7.0',
'result' => (extension_loaded('openssl') || (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7)),
'required' => false,
'message' => 'It is highly recommended that you install the PHP <a href="http://www.php.net/manual/en/openssl.installation.php">OpenSSL</a> extension and/or use PHP version 7 or above. <strong>If you do not, it is possible that the IP addresses of users of your site could be compromised &mdash; see <a href="https://github.com/vichan-devel/vichan/issues/284">vichan issue #284.</a></strong> Installing the OpenSSL extension allows vichan to generate a secure salt automatically for you.',
),
array(
'category' => 'Database',
'name' => 'PDO extension installed',
@ -862,11 +913,13 @@ if ($step == 0) {
'config' => $config,
));
} elseif ($step == 2) {
// Basic config
$page['title'] = 'Configuration';
$config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30);
$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);
$sg = new SaltGen();
$config['cookies']['salt'] = $sg->generate();
$config['secure_trip_salt'] = $sg->generate();
echo Element('page.html', array(
'body' => Element('installer/config.html', array(