leftypol
/
leftypol_vichan
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity
Browse Source

Fix #284 for new installations _only_ 

Users with existing installations are still required to follow the
advice in security bulletin #284.

This commit isn't perfect -- PHP installations below 7.0 and w/o OpenSSL
cannot be fully secured in my estimation. . .
main
Fredrick Brennan 6 years ago
parent
6ae0f45c31
commit
693fa1bdfa
1 changed files with 58 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 63
      install.php

63
install.php
View File

@ -2,11 +2,51 @@
// Installation/upgrade file
define('VERSION', '5.1.4');
require 'inc/functions.php';
loadConfig();
// Salt generators
class SaltGen {
public $salt_length = 128;
// Best function I could think of for non-SSL PHP 5
private function generate_install_salt() {
$ret = "";
// This is bad! But what else can we do sans OpenSSL?
for ($i = 0; $i < $this->salt_length; ++$i) {
$s = pack("c", mt_rand(0,255));
$ret = $ret . $s;
}
return base64_encode($ret);
}
// Best function of the lot. Works with any PHP version as long as OpenSSL extension is on
private function generate_install_salt_openssl() {
$ret = openssl_random_pseudo_bytes($this->salt_length, $strong);
if (!$strong) {
error(_("Misconfigured system: OpenSSL returning weak salts. Cannot continue."));
}
return base64_encode($ret);
}
private function generate_install_salt_php7() {
return base64_encode(random_bytes($this->salt_length));
}
// TODO: Perhaps add mcrypt as an option? Maybe overkill.
public function generate() {
if (extension_loaded('openssl')) {
return "OSSL." . $this->generate_install_salt_openssl();
} else if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7) {
return "PHP7." . $this->generate_install_salt_php7();
} else {
return "INSECURE." . $this->generate_install_salt();
}
}
}
$step = isset($_GET['step']) ? round($_GET['step']) : 0;
$page = array(
'config' => $config,
@ -679,6 +719,10 @@ if ($step == 0) {
'Imagick' => array(
'installed' => extension_loaded('imagick'),
'required' => false
),
'OpenSSL' => array(
'installed' => extension_loaded('openssl'),
'required' => false
)
);
@ -704,6 +748,13 @@ if ($step == 0) {
'required' => true,
'message' => 'You must install the PHP <a href="http://www.php.net/manual/en/mbstring.installation.php">mbstring</a> extension.',
),
array(
'category' => 'PHP',
'name' => 'OpenSSL extension installed or PHP &ge; 7.0',
'result' => (extension_loaded('openssl') || (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7)),
'required' => false,
'message' => 'It is highly recommended that you install the PHP <a href="http://www.php.net/manual/en/openssl.installation.php">OpenSSL</a> extension and/or use PHP version 7 or above. <strong>If you do not, it is possible that the IP addresses of users of your site could be compromised &mdash; see <a href="https://github.com/vichan-devel/vichan/issues/284">vichan issue #284.</a></strong> Installing the OpenSSL extension allows vichan to generate a secure salt automatically for you.',
),
array(
'category' => 'Database',
'name' => 'PDO extension installed',
@ -862,11 +913,13 @@ if ($step == 0) {
'config' => $config,
));
} elseif ($step == 2) {
// Basic config
$page['title'] = 'Configuration';
$config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30);
$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);
$sg = new SaltGen();
$config['cookies']['salt'] = $sg->generate();
$config['secure_trip_salt'] = $sg->generate();
echo Element('page.html', array(
'body' => Element('installer/config.html', array(

Write Preview
Loading…
Cancel
Save