diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-10-04 14:32:18 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-10-04 14:32:18 +0200 |
| commit | 57e1a375cbd2db9741ff19167813344f8eff5772 (patch) | |
| tree | 741fc3820a205ab3ea84a03f6b72615dd8238f99 | |
| parent | be49726ebb700aca030004d367c029082cfc6427 (diff) | |
Strengthen some crypto (#8061)
For login, tokens, nonces
| -rw-r--r-- | app/Controllers/javascriptController.php | 5 | ||||
| -rw-r--r-- | app/Controllers/userController.php | 3 | ||||
| -rw-r--r-- | app/Models/Auth.php | 3 | ||||
| -rw-r--r-- | app/Models/FormAuth.php | 2 | ||||
| -rw-r--r-- | lib/lib_install.php | 2 | ||||
| -rw-r--r-- | p/f.php | 4 |
6 files changed, 8 insertions, 11 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php index 1370c00c7..eda468dff 100644 --- a/app/Controllers/javascriptController.php +++ b/app/Controllers/javascriptController.php @@ -74,12 +74,11 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController { $user_conf = get_user_configuration($user); if ($user_conf !== null) { try { - $salt = FreshRSS_Context::systemConf()->salt; $s = $user_conf->passwordHash; if (strlen($s) >= 60) { //CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z". $this->view->salt1 = substr($s, 0, 29); - $this->view->nonce = sha1($salt . uniqid('' . mt_rand(), true)); + $this->view->nonce = hash('sha256', FreshRSS_Context::systemConf()->salt . $user . random_bytes(32)); Minz_Session::_param('nonce', $this->view->nonce); return; //Success } @@ -95,7 +94,7 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController { for ($i = 22; $i > 0; $i--) { $this->view->salt1 .= $alphabet[random_int(0, 63)]; } - $this->view->nonce = sha1('' . mt_rand()); + $this->view->nonce = hash('sha256', 'failure' . rand()); Minz_Session::_param('nonce', $this->view->nonce); } } diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index f820ef882..a7a79b067 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -41,8 +41,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController { $userConfig->mail_login = $email; if (FreshRSS_Context::systemConf()->force_email_validation) { - $salt = FreshRSS_Context::systemConf()->salt; - $userConfig->email_validation_token = sha1($salt . uniqid('' . mt_rand(), true)); + $userConfig->email_validation_token = hash('sha256', FreshRSS_Context::systemConf()->salt . $email . random_bytes(32)); $mailer = new FreshRSS_User_Mailer(); $mailer->send_email_need_validation($user, $userConfig); } diff --git a/app/Models/Auth.php b/app/Models/Auth.php index 19cd26aa5..888215730 100644 --- a/app/Models/Auth.php +++ b/app/Models/Auth.php @@ -217,8 +217,7 @@ class FreshRSS_Auth { public static function csrfToken(): string { $csrf = Minz_Session::paramString('csrf'); if ($csrf == '') { - $salt = FreshRSS_Context::systemConf()->salt; - $csrf = sha1($salt . uniqid('' . random_int(0, mt_getrandmax()), true)); + $csrf = hash('sha256', FreshRSS_Context::systemConf()->salt . random_bytes(32)); Minz_Session::_param('csrf', $csrf); } return $csrf; diff --git a/app/Models/FormAuth.php b/app/Models/FormAuth.php index 1da03f6d2..8943fa7f5 100644 --- a/app/Models/FormAuth.php +++ b/app/Models/FormAuth.php @@ -52,7 +52,7 @@ class FreshRSS_FormAuth { public static function makeCookie(string $username, string $password_hash): string|false { do { - $token = sha1(FreshRSS_Context::systemConf()->salt . $username . uniqid('' . mt_rand(), true)); + $token = hash('sha256', FreshRSS_Context::systemConf()->salt . $username . random_bytes(32)); $token_file = DATA_PATH . '/tokens/' . $token . '.txt'; } while (file_exists($token_file)); diff --git a/lib/lib_install.php b/lib/lib_install.php index 44bedd218..28827f0d6 100644 --- a/lib/lib_install.php +++ b/lib/lib_install.php @@ -73,7 +73,7 @@ function checkRequirements(string $dbType = ''): array { } function generateSalt(): string { - return sha1(uniqid('' . mt_rand(), true) . implode('', stat(__FILE__) ?: [])); + return hash('sha256', uniqid(more_entropy: true) . implode('', stat(__FILE__) ?: []) . random_bytes(32)); } /** @@ -39,7 +39,7 @@ $txt_mtime = @filemtime($txt) ?: 0; $is_custom_favicon = $ico_mtime != false && $txt_mtime == false; -if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (mt_rand(15, 20) * 86400))) && !$is_custom_favicon) { +if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (rand(15, 20) * 86400))) && !$is_custom_favicon) { if ($txt_mtime == false) { show_default_favicon(1800); exit(); @@ -63,7 +63,7 @@ if (($ico_mtime == false || $ico_mtime < $txt_mtime || ($ico_mtime < time() - (m } } -if ($no_cache || !httpConditional($ico_mtime, mt_rand(14, 21) * 86400, 2)) { +if ($no_cache || !httpConditional($ico_mtime, rand(14, 21) * 86400, 2)) { $ico_content_type = contentType($ico); header('Content-Type: ' . $ico_content_type); header('Content-Disposition: inline; filename="' . $id . '.ico"'); |