From 693fa1bdfae32bb610a28c38794e7a43e7680c48 Mon Sep 17 00:00:00 2001 From: Fredrick Brennan Date: Mon, 29 Jan 2018 18:19:16 +0800 Subject: [PATCH] Fix #284 for new installations _only_ Users with existing installations are still required to follow the advice in security bulletin #284. This commit isn't perfect -- PHP installations below 7.0 and w/o OpenSSL cannot be fully secured in my estimation. . . --- install.php | 63 ++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 58 insertions(+), 5 deletions(-) diff --git a/install.php b/install.php index e5d42d95..1ac88571 100644 --- a/install.php +++ b/install.php @@ -2,11 +2,51 @@ // Installation/upgrade file define('VERSION', '5.1.4'); - require 'inc/functions.php'; - loadConfig(); +// Salt generators +class SaltGen { + public $salt_length = 128; + + // Best function I could think of for non-SSL PHP 5 + private function generate_install_salt() { + $ret = ""; + + // This is bad! But what else can we do sans OpenSSL? + for ($i = 0; $i < $this->salt_length; ++$i) { + $s = pack("c", mt_rand(0,255)); + $ret = $ret . $s; + } + + return base64_encode($ret); + } + + // Best function of the lot. Works with any PHP version as long as OpenSSL extension is on + private function generate_install_salt_openssl() { + $ret = openssl_random_pseudo_bytes($this->salt_length, $strong); + if (!$strong) { + error(_("Misconfigured system: OpenSSL returning weak salts. Cannot continue.")); + } + return base64_encode($ret); + } + + private function generate_install_salt_php7() { + return base64_encode(random_bytes($this->salt_length)); + } + + // TODO: Perhaps add mcrypt as an option? Maybe overkill. + public function generate() { + if (extension_loaded('openssl')) { + return "OSSL." . $this->generate_install_salt_openssl(); + } else if (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7) { + return "PHP7." . $this->generate_install_salt_php7(); + } else { + return "INSECURE." . $this->generate_install_salt(); + } + } +} + $step = isset($_GET['step']) ? round($_GET['step']) : 0; $page = array( 'config' => $config, @@ -679,6 +719,10 @@ if ($step == 0) { 'Imagick' => array( 'installed' => extension_loaded('imagick'), 'required' => false + ), + 'OpenSSL' => array( + 'installed' => extension_loaded('openssl'), + 'required' => false ) ); @@ -704,6 +748,13 @@ if ($step == 0) { 'required' => true, 'message' => 'You must install the PHP mbstring extension.', ), + array( + 'category' => 'PHP', + 'name' => 'OpenSSL extension installed or PHP ≥ 7.0', + 'result' => (extension_loaded('openssl') || (defined('PHP_MAJOR_VERSION') && PHP_MAJOR_VERSION >= 7)), + 'required' => false, + 'message' => 'It is highly recommended that you install the PHP OpenSSL extension and/or use PHP version 7 or above. If you do not, it is possible that the IP addresses of users of your site could be compromised — see vichan issue #284. Installing the OpenSSL extension allows vichan to generate a secure salt automatically for you.', + ), array( 'category' => 'Database', 'name' => 'PDO extension installed', @@ -862,11 +913,13 @@ if ($step == 0) { 'config' => $config, )); } elseif ($step == 2) { + // Basic config $page['title'] = 'Configuration'; - - $config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30); - $config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30); + + $sg = new SaltGen(); + $config['cookies']['salt'] = $sg->generate(); + $config['secure_trip_salt'] = $sg->generate(); echo Element('page.html', array( 'body' => Element('installer/config.html', array(