mirror of
https://github.com/vichan-devel/vichan.git
synced 2024-11-13 18:40:49 +01:00
Fix #284 for new installations _only_
Users with existing installations are still required to follow the advice in security bulletin #284. This commit isn't perfect -- PHP installations below 7.0 and w/o OpenSSL cannot be fully secured in my estimation. . .
This commit is contained in:
parent
6ae0f45c31
commit
693fa1bdfa
63
install.php
63
install.php
@ -2,11 +2,51 @@
|
|||||||
|
|
||||||
// Installation/upgrade file
|
// Installation/upgrade file
|
||||||
define('VERSION', '5.1.4');
|
define('VERSION', '5.1.4');
|
||||||
|
|
||||||
require 'inc/functions.php';
|
require 'inc/functions.php';
|
||||||
|
|
||||||
loadConfig();
|
loadConfig();
|
||||||
|
|
||||||
|
// Salt generators
|
||||||
|
class SaltGen {
|
||||||
|
public $salt_length = 128;
|
||||||
|
|
||||||
|
// Best function I could think of for non-SSL PHP 5
|
||||||
|
private function generate_install_salt() {
|
||||||
|
$ret = "";
|
||||||
|
|
||||||
|
// This is bad! But what else can we do sans OpenSSL?
|
||||||
|
for ($i = 0; $i < $this->salt_length; ++$i) {
|
||||||
|
$s = pack("c", mt_rand(0,255));
|
||||||
|
$ret = $ret . $s;
|
||||||
|
}
|
||||||
|
|
||||||
|
return base64_encode($ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Best function of the lot. Works with any PHP version as long as OpenSSL extension is on
|
||||||
|
private function generate_install_salt_openssl() {
|
||||||
|
$ret = openssl_random_pseudo_bytes($this->salt_length, $strong);
|
||||||
|
if (!$strong) {
|
||||||
|
error(_("Misconfigured system: OpenSSL returning weak salts. Cannot continue."));
|
||||||
|
}
|
||||||
|
return base64_encode($ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
private function generate_install_salt_php7() {
|
||||||
|
return base64_encode(random_bytes($this->salt_length));
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: Perhaps add mcrypt as an option? Maybe overkill.
|
||||||
|
public function generate() {
|
||||||
|
if (extension_loaded('openssl')) {
|
||||||
|
return "OSSL." . $this->generate_install_salt_openssl();
|
||||||
|
} else if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7) {
|
||||||
|
return "PHP7." . $this->generate_install_salt_php7();
|
||||||
|
} else {
|
||||||
|
return "INSECURE." . $this->generate_install_salt();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$step = isset($_GET['step']) ? round($_GET['step']) : 0;
|
$step = isset($_GET['step']) ? round($_GET['step']) : 0;
|
||||||
$page = array(
|
$page = array(
|
||||||
'config' => $config,
|
'config' => $config,
|
||||||
@ -679,6 +719,10 @@ if ($step == 0) {
|
|||||||
'Imagick' => array(
|
'Imagick' => array(
|
||||||
'installed' => extension_loaded('imagick'),
|
'installed' => extension_loaded('imagick'),
|
||||||
'required' => false
|
'required' => false
|
||||||
|
),
|
||||||
|
'OpenSSL' => array(
|
||||||
|
'installed' => extension_loaded('openssl'),
|
||||||
|
'required' => false
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -704,6 +748,13 @@ if ($step == 0) {
|
|||||||
'required' => true,
|
'required' => true,
|
||||||
'message' => 'You must install the PHP <a href="http://www.php.net/manual/en/mbstring.installation.php">mbstring</a> extension.',
|
'message' => 'You must install the PHP <a href="http://www.php.net/manual/en/mbstring.installation.php">mbstring</a> extension.',
|
||||||
),
|
),
|
||||||
|
array(
|
||||||
|
'category' => 'PHP',
|
||||||
|
'name' => 'OpenSSL extension installed or PHP ≥ 7.0',
|
||||||
|
'result' => (extension_loaded('openssl') || (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7)),
|
||||||
|
'required' => false,
|
||||||
|
'message' => 'It is highly recommended that you install the PHP <a href="http://www.php.net/manual/en/openssl.installation.php">OpenSSL</a> extension and/or use PHP version 7 or above. <strong>If you do not, it is possible that the IP addresses of users of your site could be compromised — see <a href="https://github.com/vichan-devel/vichan/issues/284">vichan issue #284.</a></strong> Installing the OpenSSL extension allows vichan to generate a secure salt automatically for you.',
|
||||||
|
),
|
||||||
array(
|
array(
|
||||||
'category' => 'Database',
|
'category' => 'Database',
|
||||||
'name' => 'PDO extension installed',
|
'name' => 'PDO extension installed',
|
||||||
@ -862,11 +913,13 @@ if ($step == 0) {
|
|||||||
'config' => $config,
|
'config' => $config,
|
||||||
));
|
));
|
||||||
} elseif ($step == 2) {
|
} elseif ($step == 2) {
|
||||||
|
|
||||||
// Basic config
|
// Basic config
|
||||||
$page['title'] = 'Configuration';
|
$page['title'] = 'Configuration';
|
||||||
|
|
||||||
$config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30);
|
$sg = new SaltGen();
|
||||||
$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);
|
$config['cookies']['salt'] = $sg->generate();
|
||||||
|
$config['secure_trip_salt'] = $sg->generate();
|
||||||
|
|
||||||
echo Element('page.html', array(
|
echo Element('page.html', array(
|
||||||
'body' => Element('installer/config.html', array(
|
'body' => Element('installer/config.html', array(
|
||||||
|
Loading…
Reference in New Issue
Block a user