mirror of
https://github.com/vichan-devel/vichan.git
synced 2024-11-27 17:00:52 +01:00
Fix #284 for new installations _only_
Users with existing installations are still required to follow the advice in security bulletin #284. This commit isn't perfect -- PHP installations below 7.0 and w/o OpenSSL cannot be fully secured in my estimation. . .
This commit is contained in:
parent
6ae0f45c31
commit
693fa1bdfa
61
install.php
61
install.php
@ -2,11 +2,51 @@
|
||||
|
||||
// Installation/upgrade file
|
||||
define('VERSION', '5.1.4');
|
||||
|
||||
require 'inc/functions.php';
|
||||
|
||||
loadConfig();
|
||||
|
||||
// Salt generators
|
||||
class SaltGen {
|
||||
public $salt_length = 128;
|
||||
|
||||
// Best function I could think of for non-SSL PHP 5
|
||||
private function generate_install_salt() {
|
||||
$ret = "";
|
||||
|
||||
// This is bad! But what else can we do sans OpenSSL?
|
||||
for ($i = 0; $i < $this->salt_length; ++$i) {
|
||||
$s = pack("c", mt_rand(0,255));
|
||||
$ret = $ret . $s;
|
||||
}
|
||||
|
||||
return base64_encode($ret);
|
||||
}
|
||||
|
||||
// Best function of the lot. Works with any PHP version as long as OpenSSL extension is on
|
||||
private function generate_install_salt_openssl() {
|
||||
$ret = openssl_random_pseudo_bytes($this->salt_length, $strong);
|
||||
if (!$strong) {
|
||||
error(_("Misconfigured system: OpenSSL returning weak salts. Cannot continue."));
|
||||
}
|
||||
return base64_encode($ret);
|
||||
}
|
||||
|
||||
private function generate_install_salt_php7() {
|
||||
return base64_encode(random_bytes($this->salt_length));
|
||||
}
|
||||
|
||||
// TODO: Perhaps add mcrypt as an option? Maybe overkill.
|
||||
public function generate() {
|
||||
if (extension_loaded('openssl')) {
|
||||
return "OSSL." . $this->generate_install_salt_openssl();
|
||||
} else if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7) {
|
||||
return "PHP7." . $this->generate_install_salt_php7();
|
||||
} else {
|
||||
return "INSECURE." . $this->generate_install_salt();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$step = isset($_GET['step']) ? round($_GET['step']) : 0;
|
||||
$page = array(
|
||||
'config' => $config,
|
||||
@ -679,6 +719,10 @@ if ($step == 0) {
|
||||
'Imagick' => array(
|
||||
'installed' => extension_loaded('imagick'),
|
||||
'required' => false
|
||||
),
|
||||
'OpenSSL' => array(
|
||||
'installed' => extension_loaded('openssl'),
|
||||
'required' => false
|
||||
)
|
||||
);
|
||||
|
||||
@ -704,6 +748,13 @@ if ($step == 0) {
|
||||
'required' => true,
|
||||
'message' => 'You must install the PHP <a href="http://www.php.net/manual/en/mbstring.installation.php">mbstring</a> extension.',
|
||||
),
|
||||
array(
|
||||
'category' => 'PHP',
|
||||
'name' => 'OpenSSL extension installed or PHP ≥ 7.0',
|
||||
'result' => (extension_loaded('openssl') || (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7)),
|
||||
'required' => false,
|
||||
'message' => 'It is highly recommended that you install the PHP <a href="http://www.php.net/manual/en/openssl.installation.php">OpenSSL</a> extension and/or use PHP version 7 or above. <strong>If you do not, it is possible that the IP addresses of users of your site could be compromised — see <a href="https://github.com/vichan-devel/vichan/issues/284">vichan issue #284.</a></strong> Installing the OpenSSL extension allows vichan to generate a secure salt automatically for you.',
|
||||
),
|
||||
array(
|
||||
'category' => 'Database',
|
||||
'name' => 'PDO extension installed',
|
||||
@ -862,11 +913,13 @@ if ($step == 0) {
|
||||
'config' => $config,
|
||||
));
|
||||
} elseif ($step == 2) {
|
||||
|
||||
// Basic config
|
||||
$page['title'] = 'Configuration';
|
||||
|
||||
$config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30);
|
||||
$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);
|
||||
$sg = new SaltGen();
|
||||
$config['cookies']['salt'] = $sg->generate();
|
||||
$config['secure_trip_salt'] = $sg->generate();
|
||||
|
||||
echo Element('page.html', array(
|
||||
'body' => Element('installer/config.html', array(
|
||||
|
Loading…
Reference in New Issue
Block a user