From a7f03d101ccbb85b231ff592d31e01dc78b93206 Mon Sep 17 00:00:00 2001 From: Peter Linss Date: Tue, 19 Nov 2019 16:48:40 -0800 Subject: [PATCH 1/2] Use cryptographically secure random number generator for APP_SALT when available --- rainloop/v/0.0.0/include.php | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/rainloop/v/0.0.0/include.php b/rainloop/v/0.0.0/include.php index 5b51731dd..26600d423 100644 --- a/rainloop/v/0.0.0/include.php +++ b/rainloop/v/0.0.0/include.php @@ -126,13 +126,22 @@ if (false === $sSalt) { - // random salt - $sSalt = '<'.'?php //' - .md5(microtime(true).rand(1000, 5000)) - .md5(microtime(true).rand(5000, 9999)) - .md5(microtime(true).rand(1000, 5000)); + if (function_exists('random_bytes')) + { // secure random salt + $sSalt = bin2hex(random_bytes(48)); + } + elseif (function_exists('openssl_random_pseudo_bytes')) + { // not-quite as secure random salt + $sSalt = bin2hex(openssl_random_pseudo_bytes(48)); + } + else + { // pseudo-random salt + $sSalt = md5(microtime(true).rand(1000, 5000)) + .md5(microtime(true).rand(5000, 9999)) + .md5(microtime(true).rand(1000, 5000)); + } - @file_put_contents(APP_DATA_FOLDER_PATH.'SALT.php', $sSalt); + @file_put_contents(APP_DATA_FOLDER_PATH.'SALT.php', '<'.'?php //'.$sSalt); } define('APP_SALT', md5($sSalt.APP_PRIVATE_DATA_NAME.$sSalt)); From a54d40f2a2fae9305036220fdbcd8424d5bd588a Mon Sep 17 00:00:00 2001 From: Peter Linss Date: Wed, 20 Nov 2019 09:20:40 -0800 Subject: [PATCH 2/2] improve error handling for salt generation --- rainloop/v/0.0.0/include.php | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/rainloop/v/0.0.0/include.php b/rainloop/v/0.0.0/include.php index 26600d423..9d7fdc2e9 100644 --- a/rainloop/v/0.0.0/include.php +++ b/rainloop/v/0.0.0/include.php @@ -124,17 +124,23 @@ unset($sCheckName, $sCheckFilePath, $sCheckFolder, $sTest); } - if (false === $sSalt) - { + if (false === $sSalt) { if (function_exists('random_bytes')) { // secure random salt - $sSalt = bin2hex(random_bytes(48)); + try + { + $sSalt = bin2hex(random_bytes(48)); + } + catch (\Exception $oException) + { + $sSalt = false; + } } - elseif (function_exists('openssl_random_pseudo_bytes')) + if ((false === $sSalt) && (function_exists('openssl_random_pseudo_bytes'))) { // not-quite as secure random salt $sSalt = bin2hex(openssl_random_pseudo_bytes(48)); } - else + if (false === $sSalt) { // pseudo-random salt $sSalt = md5(microtime(true).rand(1000, 5000)) .md5(microtime(true).rand(5000, 9999))