Show a warning in the installer if no secure RNG is available
This commit is contained in:
Lukas Reschke
parent
d6c4b83f13
commit
2c427f050e
3 changed files with 34 additions and 2 deletions
|
|
@ -3,7 +3,6 @@
|
|||
<input type='hidden' id='hasPostgreSQL' value='<?php echo $_['hasPostgreSQL'] ?>'></input>
|
||||
<input type='hidden' id='hasOracle' value='<?php echo $_['hasOracle'] ?>'></input>
|
||||
<form action="index.php" method="post">
|
||||
|
||||
<input type="hidden" name="install" value="true" />
|
||||
<?php if(count($_['errors']) > 0): ?>
|
||||
<ul class="errors">
|
||||
|
|
@ -19,7 +18,14 @@
|
|||
<?php endforeach; ?>
|
||||
</ul>
|
||||
<?php endif; ?>
|
||||
|
||||
<?php if(!$_['secureRNG']): ?>
|
||||
<fieldset style="color: #B94A48; background-color: #F2DEDE; border-color: #EED3D7;">
|
||||
<legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
|
||||
<span><?php echo $l->t('No secure random number generator is available, please enable the PHP OpenSSL extension.');?></span>
|
||||
<br/>
|
||||
<span><?php echo $l->t('Without a secure random number generator an attacker may be able to predict password reset tokens and take over your account.');?></span>
|
||||
</fieldset>
|
||||
<?php endif; ?>
|
||||
<fieldset>
|
||||
<legend><?php echo $l->t( 'Create an <strong>admin account</strong>' ); ?></legend>
|
||||
<p class="infield">
|
||||
|
|
|
|||
|
|
@ -5,12 +5,14 @@ $hasMySQL = is_callable('mysql_connect');
|
|||
$hasPostgreSQL = is_callable('pg_connect');
|
||||
$hasOracle = is_callable('oci_connect');
|
||||
$datadir = OC_Config::getValue('datadirectory', OC::$SERVERROOT.'/data');
|
||||
|
||||
$opts = array(
|
||||
'hasSQLite' => $hasSQLite,
|
||||
'hasMySQL' => $hasMySQL,
|
||||
'hasPostgreSQL' => $hasPostgreSQL,
|
||||
'hasOracle' => $hasOracle,
|
||||
'directory' => $datadir,
|
||||
'secureRNG' => OC_Util::secureRNG_available(),
|
||||
'errors' => array(),
|
||||
);
|
||||
|
||||
|
|
|
|||
24
lib/util.php
24
lib/util.php
|
|
@ -559,6 +559,7 @@ class OC_Util {
|
|||
* @brief Generates a cryptographical secure pseudorandom string
|
||||
* @param Int with the length of the random string
|
||||
* @return String
|
||||
* Please also update secureRNG_available if you change something here
|
||||
*/
|
||||
public static function generate_random_bytes($length = 30) {
|
||||
|
||||
|
|
@ -589,4 +590,27 @@ class OC_Util {
|
|||
}
|
||||
return $pseudo_byte;
|
||||
}
|
||||
|
||||
/*
|
||||
* @brief Checks if a secure random number generator is available
|
||||
* @return bool
|
||||
*/
|
||||
public static function secureRNG_available() {
|
||||
|
||||
// Check openssl_random_pseudo_bytes
|
||||
if(function_exists('openssl_random_pseudo_bytes')) {
|
||||
openssl_random_pseudo_bytes(1, $strong);
|
||||
if($strong == TRUE) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
// Check /dev/random
|
||||
$fp = @file_get_contents('/dev/random', false, null, 0, 1);
|
||||
if ($fp !== FALSE) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue