Notes |
|
(0005314)
|
alex
|
2012-12-05 03:18
|
|
Plan:
1. add new system setting called "RandomString" ("Random String") and place it under "Use non-blocking socket mode" setting in "Configuration -> Website -> Advanced" section
2. during clean install + during upgrade to 5.3.0-B1 version use code from WordPress to generate similar random string
3. verify that for each clean install / upgrade made different string is generated each time |
|
|
(0005320)
|
erik
|
2012-12-06 05:28
|
|
Patch attached. Needs testing |
|
|
(0005321)
|
alex
|
2012-12-06 06:22
(edited on: 2012-12-06 06:24) |
|
1. must use $this->Application->SetConfigValue method instead of doing direct SQLs to SystemSettings table ($this->Application is available during upgrade and during clean install it's available after root password is entered)
2. why current random string value (which is 100% empty during install/upgrade) is being used to generate new random string value?
|
|
|
(0005323)
|
erik
|
2012-12-06 11:31
|
|
1. Impossible - No application object at used execution point.
2. In the task was told - "use code from WordPress to generate similar random string". In wordpress old value is used on new value generation. |
|
|
(0005324)
|
alex
|
2012-12-06 12:00
|
|
1 - then move random string generation to one of next steps, where application is available
Also don't forget, that cookies used during installation also needs to be hashed (see related task about hashing) using generated string |
|
|
(0005326)
|
erik
|
2012-12-07 07:11
|
|
New patch version attached. Needs testing. |
|
|
(0005330)
|
alex
|
2012-12-11 02:54
|
|
1. missing upgrade script, that inserts RandomString system setting
2. root password hash is used as initial seed, which introduces always the same (if password is the same) component in string generation
3. generated string doesn't look like these random strings (take from wp-config.php file):
define('AUTH_KEY', 'B9Gb>TN!3{onYA(4&PW>K8>@@KD|G8V1/|J-|}m;=_5O2||Vp/tg_6_[Nv]f5E-S');
define('SECURE_AUTH_KEY', '&jFdwDy_Nz^7/0=}ZSZF-iNQ5w^rpCswV}S&8/O+@Z%Jzk{q[OtW8Q<f2.}wx`|$');
define('LOGGED_IN_KEY', '@+J_;[5$u*[A*4nR%z|y6?d-!$U0G%jB8xOQ6+^OdPf4rnby/7mTbF{+!z$*2=*|');
define('NONCE_KEY', '+#y|nb[<<9|/[Y3r31S!rKIYtl8vQ:8;>4z8k+a|1Gx_=t{sdkjEfyRO&6+JnF__');
3a. Probably wp_generate_password function should be used.
4. Random string(+seed) generation (+password generation) code looks promising, let's move both functions to UserHelper. Please also preserve behavior when generated random seed (set_transient) is stored somewhere (e.g. cache table) and is reset after N uses. |
|
|
(0005334)
|
erik
|
2012-12-11 05:55
|
|
1. Fixed
2. Fixed
3. Fixed
4. Fixed
New patch version attached. Needs testing |
|
|
(0005336)
|
alex
|
2012-12-12 03:39
|
|
Looks about right.
I've only did following in V4 version:
1. changed global $rnd_value variable into static variable
2. method generateRandomNumber made protected |
|
|
(0005337)
|
alex
|
2012-12-12 03:40
|
|
Fix committed to 5.3.x branch. Commit Message:
Fixes 0001435: Generate random string at install
1. Commit on behalf of Erik |
|