From a8eccc7d408dcb07b8b32fd0dd8ee4c090033f69 Mon Sep 17 00:00:00 2001 From: Tim Starling Date: Wed, 16 Mar 2005 07:36:02 +0000 Subject: [PATCH] Stronger user token generation --- config/index.php | 10 +++++----- includes/DefaultSettings.php | 4 ++-- includes/SpecialUserlogin.php | 1 + includes/User.php | 8 ++------ 4 files changed, 10 insertions(+), 13 deletions(-) diff --git a/config/index.php b/config/index.php index 9b93debc24..9902381483 100644 --- a/config/index.php +++ b/config/index.php @@ -1001,14 +1001,14 @@ function writeLocalSettings( $conf ) { $file = @fopen( "/dev/urandom", "r" ); if ( $file ) { - $proxyKey = bin2hex( fread( $file, 32 ) ); + $secretKey = bin2hex( fread( $file, 32 ) ); fclose( $file ); } else { - $proxyKey = ""; + $secretKey = ""; for ( $i=0; $i<8; $i++ ) { - $proxyKey .= dechex(mt_rand(0, 0x7fffffff)); + $secretKey .= dechex(mt_rand(0, 0x7fffffff)); } - print "
  • Warning: \$wgProxyKey is insecure
    • \n"; + print "
  • Warning: \$wgSecretKey key is insecure, generated with mt_rand(). Consider changing it manually.
    • \n"; } # Add slashes to strings for double quoting @@ -1106,7 +1106,7 @@ if ( \$wgCommandLineMode ) { \$wgLanguageCode = \"{$slconf['LanguageCode']}\"; \$wgUseLatin1 = " . ($conf->Latin1 ? 'true' : 'false') . ";\n -\$wgProxyKey = \"$proxyKey\"; +\$wgProxyKey = \"$secretKey\"; ## Default skin: you can change the default skin. Use the internal symbolic ## names, ie 'standard', 'nostalgia', 'cologneblue', 'monobook': diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index f14fe7e57d..3ea935afd5 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -525,8 +525,8 @@ $wgProxyPorts = array( 80, 81, 1080, 3128, 6588, 8000, 8080, 8888, 65506 ); $wgProxyScriptPath = "$IP/proxy_check.php"; /** */ $wgProxyMemcExpiry = 86400; -/** */ -$wgProxyKey = 'W1svekXc5u6lZllTZOwnzEk1nbs'; +/** This should always be customised in LocalSettings.php */ +$wgSecretKey = 'W1svekXc5u6lZllTZOwnzEk1nbs'; /** big list of banned IP addresses, in the keys not the values */ $wgProxyList = array(); diff --git a/includes/SpecialUserlogin.php b/includes/SpecialUserlogin.php index 1f9c1bcd03..0f6fc19bba 100644 --- a/includes/SpecialUserlogin.php +++ b/includes/SpecialUserlogin.php @@ -261,6 +261,7 @@ class LoginForm { $u->setPassword( $this->mPassword ); $u->setEmail( $this->mEmail ); $u->setRealName( $this->mRealName ); + $u->setToken(); global $wgAuth; $wgAuth->initUser( $u ); diff --git a/includes/User.php b/includes/User.php index 110a9f55a0..ceccb18ce8 100644 --- a/includes/User.php +++ b/includes/User.php @@ -592,13 +592,9 @@ class User { # Set the random token (used for persistent authentication) function setToken( $token = false ) { + global $wgSecretKey, $wgDBname; if ( !$token ) { - $this->mToken = ''; - # Take random data from PRNG - # This is reasonably secure if the PRNG has been seeded correctly - for ($i = 0; $imToken .= sprintf( "%04X", mt_rand( 0, 65535 ) ); - } + $this->mToken = md5( $wgSecretKey . mt_rand( 0, 0x7fffffff ) . $wgDBname . $this->mId ); } else { $this->mToken = $token; } -- 2.20.1