sbrl-github/Pepperminty-Wiki
sbrl-github/Pepperminty-Wiki
1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-25 05:22:59 +00:00
Code Activity

Make site secret generator cryptographically secure

Browse source
This commit is contained in:
Starbeamrainbowlabs 2018-05-11 12:45:34 +01:00
parent 4abe3ecc29
commit e11766bbe1
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Changelog.md
View file

@ -3,6 +3,10 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
## v0.17-dev ## v0.17-dev
## Fixed
- [Security] Made the site secret generator cryptographically secure. If you created your wiki before this change, you might want to change your site secret in `peppermint.json` to something more secure with a site like [random.org](https://www.random.org/).
- The PHP function `openssl_pseudo_random_bytes()` was being used before, but [apparently that's not cryptographically secure](https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php).
## Changed ## Changed
- Password hashing has been overhauled! A totally new-and-different system is being used now, so you'll need to rehash all your passwords. - Password hashing has been overhauled! A totally new-and-different system is being used now, so you'll need to rehash all your passwords.
- The `hash` action supports the new password hashing scheme. - The `hash` action supports the new password hashing scheme.

3
settings.fragment.php
View file

@ -35,7 +35,8 @@ if(!file_exists($settingsFilename))
foreach ($guiConfig as $key => $value) foreach ($guiConfig as $key => $value)
$settings->$key = $value->default; $settings->$key = $value->default;
// Generate a random secret // Generate a random secret
$settings->secret = bin2hex(openssl_random_pseudo_bytes(16)); // Updated to use random_bytes - ref https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php
$settings->secret = bin2hex(random_bytes(16));
file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT)); file_put_contents("peppermint.json", json_encode($settings, JSON_PRETTY_PRINT));
} }
else else