1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-12-25 14:45:02 +00:00

Make site secret generator cryptographically secure

This commit is contained in:
Starbeamrainbowlabs 2018-05-11 12:45:34 +01:00
parent 4abe3ecc29
commit e11766bbe1
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 6 additions and 1 deletions

View file

@ -3,6 +3,10 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
## v0.17-dev
## Fixed
- [Security] Made the site secret generator cryptographically secure. If you created your wiki before this change, you might want to change your site secret in `peppermint.json` to something more secure with a site like [random.org](https://www.random.org/).
- The PHP function `openssl_pseudo_random_bytes()` was being used before, but [apparently that's not cryptographically secure](https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php).
## Changed
- Password hashing has been overhauled! A totally new-and-different system is being used now, so you'll need to rehash all your passwords.
- The `hash` action supports the new password hashing scheme.

View file

@ -35,7 +35,8 @@ if(!file_exists($settingsFilename))
foreach ($guiConfig as $key => $value)
$settings->$key = $value->default;
// Generate a random secret
$settings->secret = bin2hex(openssl_random_pseudo_bytes(16));
// Updated to use random_bytes - ref https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php
$settings->secret = bin2hex(random_bytes(16));
file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT));
}
else