Fix #284 for new installations _only_

Users with existing installations are still required to follow the advice in security bulletin #284. This commit isn't perfect -- PHP installations below 7.0 and w/o OpenSSL cannot be fully secured in my estimation. . .
2024-11-27 17:00:52 +01:00 · 2018-01-29 18:19:16 +08:00 · 2018-01-29 18:19:16 +08:00 · 693fa1bdfa
commit 693fa1bdfa
parent 6ae0f45c31
1 changed files with 58 additions and 5 deletions
--- a/install.php
+++ b/install.php
@ -2,11 +2,51 @@
 // Installation/upgrade file	
 define('VERSION', '5.1.4');
 require 'inc/functions.php';
 loadConfig();
 // Salt generators
 class SaltGen {
 	public $salt_length = 128;
 	// Best function I could think of for non-SSL PHP 5
 	private function generate_install_salt() {
 		$ret = "";
 		// This is bad! But what else can we do sans OpenSSL?
 		for ($i = 0; $i < $this->salt_length; ++$i) {
 			$s = pack("c", mt_rand(0,255));
 			$ret = $ret . $s;
 		}
 		return base64_encode($ret);
 	}
 	// Best function of the lot. Works with any PHP version as long as OpenSSL extension is on
 	private function generate_install_salt_openssl() {
 		$ret = openssl_random_pseudo_bytes($this->salt_length, $strong);
 		if (!$strong) {
 			error(_("Misconfigured system: OpenSSL returning weak salts. Cannot continue."));
 		}
 		return base64_encode($ret);
 	}
 	private function generate_install_salt_php7() {
 		return base64_encode(random_bytes($this->salt_length));
 	}
 	// TODO: Perhaps add mcrypt as an option? Maybe overkill.
 	public function generate() {
 		if (extension_loaded('openssl')) {
 			return "OSSL." . $this->generate_install_salt_openssl();
 		} else if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7) {
 			return "PHP7." . $this->generate_install_salt_php7();
 		} else {
 			return "INSECURE." . $this->generate_install_salt();
 		}
 	}
 }
 $step = isset($_GET['step']) ? round($_GET['step']) : 0;
 $page = array(
 	'config' => $config,
@ -679,6 +719,10 @@ if ($step == 0) {
 		'Imagick' => array(
 			'installed' => extension_loaded('imagick'),
 			'required' => false
 		),
 		'OpenSSL' => array(
 			'installed' => extension_loaded('openssl'),
 			'required' => false
 		)
 	);
@ -704,6 +748,13 @@ if ($step == 0) {
 			'required' => true,
 			'message' => 'You must install the PHP <a href="http://www.php.net/manual/en/mbstring.installation.php">mbstring</a> extension.',
 		),
 		array(
 			'category' => 'PHP',
 			'name' => 'OpenSSL extension installed or PHP &ge; 7.0',
 			'result' => (extension_loaded('openssl') || (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7)),
 			'required' => false,
 			'message' => 'It is highly recommended that you install the PHP <a href="http://www.php.net/manual/en/openssl.installation.php">OpenSSL</a> extension and/or use PHP version 7 or above. <strong>If you do not, it is possible that the IP addresses of users of your site could be compromised &mdash; see <a href="https://github.com/vichan-devel/vichan/issues/284">vichan issue #284.</a></strong> Installing the OpenSSL extension allows vichan to generate a secure salt automatically for you.',
 		),
 		array(
 			'category' => 'Database',
 			'name' => 'PDO extension installed',
@ -862,11 +913,13 @@ if ($step == 0) {
 		'config' => $config,
 	));
 } elseif ($step == 2) {
 	// Basic config
 	$page['title'] = 'Configuration';
-	
+
-	$config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30);
+	$sg = new SaltGen();
-	$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);	
+	$config['cookies']['salt'] = $sg->generate();
 	$config['secure_trip_salt'] = $sg->generate();
 	echo Element('page.html', array(
 		'body' => Element('installer/config.html', array(