From 17a8e61d2ae9e938aaf60292666b6ccf5cb09067 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sat, 7 Jan 2017 14:25:46 +0300 Subject: [PATCH] deprecate encrypted feed passwords because mcrypt is getting removed from php 7.1 1. transparent decryption for existing installs stays for the time being 2. new passwords are not going to be encrypted even if FEED_CRYPT_KEY is defined 3. added update.php --decrypt-feeds to bulk decrypt existing encrypted passwords 4. updated install to not auto-generate crypt key 5. added warning to config.php-dist --- classes/pref/feeds.php | 20 +++----------------- config.php-dist | 5 +++++ include/crypt.php | 15 --------------- include/functions.php | 9 +-------- include/rssfuncs.php | 4 ++-- install/index.php | 8 -------- update.php | 32 ++++++++++++++++++++++++++++++++ 7 files changed, 43 insertions(+), 50 deletions(-) diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index 2803d68ec..6795236d5 100755 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -646,7 +646,7 @@ class Pref_Feeds extends Handler_Protected { $auth_pass = $this->dbh->fetch_result($result, 0, "auth_pass"); - if ($auth_pass_encrypted) { + if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { require_once "crypt.php"; $auth_pass = decrypt_string($auth_pass); } @@ -983,14 +983,7 @@ class Pref_Feeds extends Handler_Protected { $feed_language = $this->dbh->escape_string(trim($_POST["feed_language"])); - if (strlen(FEED_CRYPT_KEY) > 0) { - require_once "crypt.php"; - $auth_pass = substr(encrypt_string($auth_pass), 0, 250); - $auth_pass_encrypted = 'true'; - } else { - $auth_pass_encrypted = 'false'; - } - + $auth_pass_encrypted = 'false'; $auth_pass = $this->dbh->escape_string($auth_pass); if (get_pref('ENABLE_FEED_CATS')) { @@ -1889,14 +1882,7 @@ class Pref_Feeds extends Handler_Protected { "SELECT id FROM ttrss_feeds WHERE feed_url = '$feed' AND owner_uid = ".$_SESSION["uid"]); - if (strlen(FEED_CRYPT_KEY) > 0) { - require_once "crypt.php"; - $pass = substr(encrypt_string($pass), 0, 250); - $auth_pass_encrypted = 'true'; - } else { - $auth_pass_encrypted = 'false'; - } - + $auth_pass_encrypted = 'false'; $pass = $this->dbh->escape_string($pass); if ($this->dbh->num_rows($result) == 0) { diff --git a/config.php-dist b/config.php-dist index 2eaaab617..c86af943b 100644 --- a/config.php-dist +++ b/config.php-dist @@ -25,6 +25,11 @@ // including PUSH, bookmarklets and browser integration will not work properly. define('FEED_CRYPT_KEY', ''); + // WARNING: mcrypt is deprecated in php 7.1. This directive exists for backwards + // compatibility with existing installs, new passwords are NOT going to be encrypted. + // Use update.php --decrypt-feeds to decrypt existing passwords in the database while + // mcrypt is still available. + // Key used for encryption of passwords for password-protected feeds // in the database. A string of 24 random characters. If left blank, encryption // is not used. Requires mcrypt functions. diff --git a/include/crypt.php b/include/crypt.php index f06483ef1..217ad3b0f 100644 --- a/include/crypt.php +++ b/include/crypt.php @@ -18,19 +18,4 @@ return false; } - - function encrypt_string($str) { - $key = hash('SHA256', FEED_CRYPT_KEY, true); - - $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, - MCRYPT_MODE_CBC), MCRYPT_RAND); - - $encstr = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $str, - MCRYPT_MODE_CBC, $iv); - - $iv_base64 = base64_encode($iv); - $encstr_base64 = base64_encode($encstr); - - return "$iv_base64:$encstr_base64"; - } ?> diff --git a/include/functions.php b/include/functions.php index f10c3a00b..ce7627d5a 100755 --- a/include/functions.php +++ b/include/functions.php @@ -1749,14 +1749,7 @@ "SELECT id FROM ttrss_feeds WHERE feed_url = '$url' AND owner_uid = ".$_SESSION["uid"]); - if (strlen(FEED_CRYPT_KEY) > 0) { - require_once "crypt.php"; - $auth_pass = substr(encrypt_string($auth_pass), 0, 250); - $auth_pass_encrypted = 'true'; - } else { - $auth_pass_encrypted = 'false'; - } - + $auth_pass_encrypted = 'false'; $auth_pass = db_escape_string($auth_pass); if (db_num_rows($result) == 0) { diff --git a/include/rssfuncs.php b/include/rssfuncs.php index e667df41f..6c342971f 100644 --- a/include/rssfuncs.php +++ b/include/rssfuncs.php @@ -254,7 +254,7 @@ $auth_login = db_fetch_result($result, 0, "auth_login"); $auth_pass = db_fetch_result($result, 0, "auth_pass"); - if ($auth_pass_encrypted) { + if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { require_once "crypt.php"; $auth_pass = decrypt_string($auth_pass); } @@ -347,7 +347,7 @@ $auth_login = db_fetch_result($result, 0, "auth_login"); $auth_pass = db_fetch_result($result, 0, "auth_pass"); - if ($auth_pass_encrypted) { + if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { require_once "crypt.php"; $auth_pass = decrypt_string($auth_pass); } diff --git a/install/index.php b/install/index.php index 00e90dfe7..16314edf6 100755 --- a/install/index.php +++ b/install/index.php @@ -128,12 +128,6 @@ $finished = false; - if (function_exists("mcrypt_decrypt")) { - $crypt_key = make_password(24); - } else { - $crypt_key = ""; - } - foreach ($data as $line) { if (preg_match("/define\('DB_TYPE'/", $line)) { $rv .= "\tdefine('DB_TYPE', '$DB_TYPE');\n"; @@ -149,8 +143,6 @@ $rv .= "\tdefine('DB_PORT', '$DB_PORT');\n"; } else if (preg_match("/define\('SELF_URL_PATH'/", $line)) { $rv .= "\tdefine('SELF_URL_PATH', '$SELF_URL_PATH');\n"; - } else if (preg_match("/define\('FEED_CRYPT_KEY'/", $line)) { - $rv .= "\tdefine('FEED_CRYPT_KEY', '$crypt_key');\n"; } else if (!$finished) { $rv .= "$line\n"; } diff --git a/update.php b/update.php index 65cf9f06e..821d25bce 100755 --- a/update.php +++ b/update.php @@ -38,6 +38,7 @@ "debug-feed:", "force-refetch", "force-rehash", + "decrypt-feeds", "help"); foreach (PluginHost::getInstance()->get_commands() as $command => $data) { @@ -91,6 +92,7 @@ print " --debug-feed N - perform debug update of feed N\n"; print " --force-refetch - debug update: force refetch feed data\n"; print " --force-rehash - debug update: force rehash articles\n"; + print " --decrypt-feeds - decrypt feed passwords\n"; print " --help - show this help\n"; print "Plugin options:\n"; @@ -402,6 +404,36 @@ update_rss_feed($feed); } + if (isset($options["decrypt-feeds"])) { + $result = db_query("SELECT id, auth_pass FROM ttrss_feeds WHERE auth_pass_encrypted = true"); + + if (!function_exists("mcrypt_decrypt")) { + _debug("mcrypt functions not available."); + return; + } + + require_once "crypt.php"; + + $total = 0; + + db_query("BEGIN"); + + while ($line = db_fetch_assoc($result)) { + _debug("processing feed id " . $line["id"]); + + $auth_pass = db_escape_string(decrypt_string($line["auth_pass"])); + + db_query("UPDATE ttrss_feeds SET auth_pass_encrypted = false, auth_pass = '$auth_pass' + WHERE id = " . $line["id"]); + + ++$total; + } + + db_query("COMMIT"); + + _debug("$total feeds processed."); + } + PluginHost::getInstance()->run_commands($options); if (file_exists(LOCK_DIRECTORY . "/$lock_filename"))