tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Remove mcrypt

Browse Source 
Use session for alternativeDatabaseName instead
Fixes #7280
This commit is contained in:
Damian Mooyman 2017-08-22 14:17:02 +12:00
parent 9b4d689bb2
commit 14761a9246
No known key found for this signature in database
GPG Key ID: 78B823A10DE27D1A
4 changed files with 61 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Mac_OSX_Homebrew.md
View File

@ -27,9 +27,9 @@ First we're telling Homebrew about some new repositories to get the PHP installa
brew tap homebrew/dupes brew tap homebrew/dupes
brew tap homebrew/php brew tap homebrew/php
We're installing PHP 5.6 here, with the required `mcrypt` module: We're installing PHP 5.6 here, with the required `intl` module:
brew install php56 php56-mcrypt php56-intl php56-apcu brew install php56 php56-intl php56-apcu
There's a [Homebrew Troubleshooting](https://github.com/Homebrew/homebrew/blob/master/share/doc/homebrew/Troubleshooting.md) guide if Homebrew doesn't work out as expected (run `brew update` and `brew doctor`). There's a [Homebrew Troubleshooting](https://github.com/Homebrew/homebrew/blob/master/share/doc/homebrew/Troubleshooting.md) guide if Homebrew doesn't work out as expected (run `brew update` and `brew doctor`).

2
docs/en/00_Getting_Started/01_Installation/04_Other_installation_Options/Vagrant_Virtualbox.md
View File

@ -119,7 +119,7 @@ yum update -y --disableplugin=fastestmirror
systemctl restart sshd systemctl restart sshd
yum install -y httpd httpd-devel mod_ssl yum install -y httpd httpd-devel mod_ssl
yum -y install php php-common php-mysql php-pdo php-mcrypt* php-gd php-xml php-mbstring yum -y install php php-common php-mysql php-pdo php-intl php-gd php-xml php-mbstring
echo "Include /vagrant/apache/*.conf" >> /etc/httpd/conf/httpd.conf echo "Include /vagrant/apache/*.conf" >> /etc/httpd/conf/httpd.conf
echo "date.timezone = Pacific/Auckland" >> /etc/php.ini echo "date.timezone = Pacific/Auckland" >> /etc/php.ini
systemctl start httpd.service systemctl start httpd.service

115
src/ORM/DB.php
View File

@ -2,10 +2,10 @@
namespace SilverStripe\ORM; namespace SilverStripe\ORM;
use BadMethodCallException;
use InvalidArgumentException; use InvalidArgumentException;
use LogicException;
use SilverStripe\Control\Cookie;
use SilverStripe\Control\Director; use SilverStripe\Control\Director;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Core\Config\Config; use SilverStripe\Core\Config\Config;
use SilverStripe\Core\Convert; use SilverStripe\Core\Convert;
use SilverStripe\Core\Injector\Injector; use SilverStripe\Core\Injector\Injector;
@ -31,6 +31,19 @@ class DB
*/ */
const USE_ANSI_SQL = true; const USE_ANSI_SQL = true;
/**
* Session key for alternative database name
*/
const ALT_DB_KEY = 'alternativeDatabaseName';
/**
* Allow alternative DB to be disabled.
* Necessary for DB backed session store to work.
*
* @config
* @var bool
*/
private static $alternative_database_enabled = true;
/** /**
* The global database connection. * The global database connection.
@ -171,90 +184,78 @@ class DB
* *
* Note that the database will be set on the next request. * Note that the database will be set on the next request.
* Set it to null to revert to the main database. * Set it to null to revert to the main database.
*
* @param string $name * @param string $name
*/ */
public static function set_alternative_database_name($name = null) public static function set_alternative_database_name($name = null)
{ {
// Ignore if disabled
if (!Config::inst()->get(static::class, 'alternative_database_enabled')) {
return;
}
// Skip if CLI // Skip if CLI
if (Director::is_cli()) { if (Director::is_cli()) {
return; return;
} }
// Validate name
if ($name && !self::valid_alternative_database_name($name)) {
throw new InvalidArgumentException(sprintf(
'Invalid alternative database name: "%s"',
$name
));
}
// Set against session
if (!Injector::inst()->has(HTTPRequest::class)) {
return;
}
/** @var HTTPRequest $request */
$request = Injector::inst()->get(HTTPRequest::class);
if ($name) { if ($name) {
if (!self::valid_alternative_database_name($name)) { $request->getSession()->set(self::ALT_DB_KEY, $name);
throw new InvalidArgumentException(sprintf(
'Invalid alternative database name: "%s"',
$name
));
}
$key = Config::inst()->get('SilverStripe\\Security\\Security', 'token');
if (!$key) {
throw new LogicException('"Security.token" not found, run "sake dev/generatesecuretoken"');
}
if (!function_exists('mcrypt_encrypt')) {
throw new LogicException('DB::set_alternative_database_name() requires the mcrypt PHP extension');
}
$key = md5($key); // Ensure key is correct length for chosen cypher
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CFB);
$iv = mcrypt_create_iv($ivSize);
$encrypted = mcrypt_encrypt(
MCRYPT_RIJNDAEL_256,
$key,
$name,
MCRYPT_MODE_CFB,
$iv
);
// Set to browser session lifetime, and restricted to HTTP access only
Cookie::set("alternativeDatabaseName", base64_encode($encrypted), 0, null, null, false, true);
Cookie::set("alternativeDatabaseNameIv", base64_encode($iv), 0, null, null, false, true);
} else { } else {
Cookie::force_expiry("alternativeDatabaseName", null, null, false, true); $request->getSession()->clear(self::ALT_DB_KEY);
Cookie::force_expiry("alternativeDatabaseNameIv", null, null, false, true);
} }
} }
/** /**
* Get the name of the database in use * Get the name of the database in use
*
* @return string|false Name of temp database, or false if not set
*/ */
public static function get_alternative_database_name() public static function get_alternative_database_name()
{ {
$name = Cookie::get("alternativeDatabaseName"); // Ignore if disabled
$iv = Cookie::get("alternativeDatabaseNameIv"); if (!Config::inst()->get(static::class, 'alternative_database_enabled')) {
if ($name) {
$key = Config::inst()->get('SilverStripe\\Security\\Security', 'token');
if (!$key) {
throw new LogicException('"Security.token" not found, run "sake dev/generatesecuretoken"');
}
if (!function_exists('mcrypt_encrypt')) {
throw new LogicException('DB::set_alternative_database_name() requires the mcrypt PHP extension');
}
$key = md5($key); // Ensure key is correct length for chosen cypher
$decrypted = mcrypt_decrypt(
MCRYPT_RIJNDAEL_256,
$key,
base64_decode($name),
MCRYPT_MODE_CFB,
base64_decode($iv)
);
return (self::valid_alternative_database_name($decrypted)) ? $decrypted : false;
} else {
return false; return false;
} }
// Skip if CLI
if (Director::is_cli()) {
return false;
}
if (!Injector::inst()->has(HTTPRequest::class)) {
return null;
}
/** @var HTTPRequest $request */
$request = Injector::inst()->get(HTTPRequest::class);
$name = $request->getSession()->get(self::ALT_DB_KEY);
if (self::valid_alternative_database_name($name)) {
return $name;
}
return false;
} }
/** /**
* Determines if the name is valid, as a security * Determines if the name is valid, as a security
* measure against setting arbitrary databases. * measure against setting arbitrary databases.
* *
* @param String $name * @param string $name
* @return Boolean * @return bool
*/ */
public static function valid_alternative_database_name($name) public static function valid_alternative_database_name($name)
{ {
if (Director::isLive()) { if (Director::isLive() || empty($name)) {
return false; return false;
} }

9
src/Security/Security.php
View File

@ -119,15 +119,6 @@ class Security extends Controller implements TemplateGlobalProvider
*/ */
private static $default_message_set; private static $default_message_set;
/**
* Random secure token, can be used as a crypto key internally.
* Generate one through 'sake dev/generatesecuretoken'.
*
* @config
* @var String
*/
private static $token;
/** /**
* The default login URL * The default login URL
* *