COmanage Developers List

[Benn Oshrin <>]

On 2/14/12 5:35 PM, Scott Koranda wrote:

> The JIRA issue is "Salts should be randomized on install":
>
> https://bugs.internet2.edu/jira/browse/CO-202
>
> Attached is a diff showing the implemenation.
>
> Please send me any comments and let me know if I can push the code.

str_shuffle, who knew?

OK, this is important, and probably inadvertent, but DON'T EVER COMMIT 
THIS CHANGE:

-       Configure::write('debug', 0);
+       Configure::write('debug', 2);

Major security problems if any of us does. (I'm sure we all have this 
set locally in our working copies.)

Also, your diff includes changes for Controller/AppController.php that I 
think you want to commit separately.

+    if(file_exists($securitySaltFilename)){
+      $handle = fopen($securitySaltFilename, "r");
+      $saltLine = fgets($handle);
+      fclose($handle);
+
+      $salt = trim($saltLine);
+      if (strlen($salt) < 40){
+        throw new ConfigureException("security salt must be 40 or more 
characters");
+      }
+      Configure::write('Security.salt', $salt);
+    } else {
+      Configure::write('Security.salt', 
'DYhG93b0qyJfIxfs2guUoUubWwvniR2G0FgaC9mi');
+    }

I think if !file_exists, we want to throw an exception, no? (ie: if 
somebody decides to throw away the salt file for some reason.)

Ditto for cipherSeed. Also, 29 != 40:

+      if (strlen($seed) < 29){
+          throw new ConfigureException("security seed must be 40 or 
more digits");
+      }

You could probably also simplify this a bit by using file_get_contents().

-Benn-