Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
change apikey and salt generation to use new php7 cryptographically s…
…ecure random_bytes function
- Loading branch information
TrystanLea
committed
Jul 15, 2021
1 parent
a8dc51e
commit 31523b9
Showing
4 changed files
with
41 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31523b9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean the min version is now PHP 7? so we can use scalar types?
31523b9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @inverse good question, perhaps I need to abstract this function and check that it exists and if not provide a fallback? or use openssl_random_pseudo_bytes, do you have any view on the matter?
31523b9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could alternatively use: $apikey = bin2hex(openssl_random_pseudo_bytes(16)); which is supported by 5.3 and has apparently had an earlier flaw fixed.
31523b9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've decided to create a function in core.php that abstracts out the key generation, using random_bytes if available and if not the openssl function 03ba19f
This should keep compatibility with PHP 5.3 for now
31523b9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to consider whether we aim to target only PHP 7 as a separate matter. Latest emonSD images are now all PHP7 and all of the emoncms server's that I run, but I know it can be a real pain if you have an old server and pulling in the latest emoncms breaks everything!
31523b9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a tough one since even PHP 7.2 is EOL since last year. Which supporting such things which are potentially exposed to the internet could be deemed a security risk.
https://endoflife.software/programming-languages/server-side-scripting/php
Check out WordPress and their proposal on it https://make.wordpress.org/core/2020/08/24/proposal-dropping-support-for-old-php-versions-via-a-fixed-schedule/