mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-12-25 14:45:02 +00:00
Make site secret generator cryptographically secure
This commit is contained in:
parent
4abe3ecc29
commit
e11766bbe1
2 changed files with 6 additions and 1 deletions
|
@ -3,6 +3,10 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
|
|||
|
||||
## v0.17-dev
|
||||
|
||||
## Fixed
|
||||
- [Security] Made the site secret generator cryptographically secure. If you created your wiki before this change, you might want to change your site secret in `peppermint.json` to something more secure with a site like [random.org](https://www.random.org/).
|
||||
- The PHP function `openssl_pseudo_random_bytes()` was being used before, but [apparently that's not cryptographically secure](https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php).
|
||||
|
||||
## Changed
|
||||
- Password hashing has been overhauled! A totally new-and-different system is being used now, so you'll need to rehash all your passwords.
|
||||
- The `hash` action supports the new password hashing scheme.
|
||||
|
|
|
@ -35,7 +35,8 @@ if(!file_exists($settingsFilename))
|
|||
foreach ($guiConfig as $key => $value)
|
||||
$settings->$key = $value->default;
|
||||
// Generate a random secret
|
||||
$settings->secret = bin2hex(openssl_random_pseudo_bytes(16));
|
||||
// Updated to use random_bytes - ref https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php
|
||||
$settings->secret = bin2hex(random_bytes(16));
|
||||
file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT));
|
||||
}
|
||||
else
|
||||
|
|
Loading…
Reference in a new issue