deprecate encrypted feed passwords because mcrypt is getting removed from php 7.1

1. transparent decryption for existing installs stays for the time being
2. new passwords are not going to be encrypted even if FEED_CRYPT_KEY is defined
3. added update.php --decrypt-feeds to bulk decrypt existing encrypted passwords
4. updated install to not auto-generate crypt key
5. added warning to config.php-dist
This commit is contained in:
Andrew Dolgov 2017-01-07 14:25:46 +03:00
parent 370fe2bdcd
commit 17a8e61d2a
7 changed files with 43 additions and 50 deletions

View File

@ -646,7 +646,7 @@ class Pref_Feeds extends Handler_Protected {
$auth_pass = $this->dbh->fetch_result($result, 0, "auth_pass"); $auth_pass = $this->dbh->fetch_result($result, 0, "auth_pass");
if ($auth_pass_encrypted) { if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
require_once "crypt.php"; require_once "crypt.php";
$auth_pass = decrypt_string($auth_pass); $auth_pass = decrypt_string($auth_pass);
} }
@ -983,14 +983,7 @@ class Pref_Feeds extends Handler_Protected {
$feed_language = $this->dbh->escape_string(trim($_POST["feed_language"])); $feed_language = $this->dbh->escape_string(trim($_POST["feed_language"]));
if (strlen(FEED_CRYPT_KEY) > 0) {
require_once "crypt.php";
$auth_pass = substr(encrypt_string($auth_pass), 0, 250);
$auth_pass_encrypted = 'true';
} else {
$auth_pass_encrypted = 'false'; $auth_pass_encrypted = 'false';
}
$auth_pass = $this->dbh->escape_string($auth_pass); $auth_pass = $this->dbh->escape_string($auth_pass);
if (get_pref('ENABLE_FEED_CATS')) { if (get_pref('ENABLE_FEED_CATS')) {
@ -1889,14 +1882,7 @@ class Pref_Feeds extends Handler_Protected {
"SELECT id FROM ttrss_feeds "SELECT id FROM ttrss_feeds
WHERE feed_url = '$feed' AND owner_uid = ".$_SESSION["uid"]); WHERE feed_url = '$feed' AND owner_uid = ".$_SESSION["uid"]);
if (strlen(FEED_CRYPT_KEY) > 0) {
require_once "crypt.php";
$pass = substr(encrypt_string($pass), 0, 250);
$auth_pass_encrypted = 'true';
} else {
$auth_pass_encrypted = 'false'; $auth_pass_encrypted = 'false';
}
$pass = $this->dbh->escape_string($pass); $pass = $this->dbh->escape_string($pass);
if ($this->dbh->num_rows($result) == 0) { if ($this->dbh->num_rows($result) == 0) {

View File

@ -25,6 +25,11 @@
// including PUSH, bookmarklets and browser integration will not work properly. // including PUSH, bookmarklets and browser integration will not work properly.
define('FEED_CRYPT_KEY', ''); define('FEED_CRYPT_KEY', '');
// WARNING: mcrypt is deprecated in php 7.1. This directive exists for backwards
// compatibility with existing installs, new passwords are NOT going to be encrypted.
// Use update.php --decrypt-feeds to decrypt existing passwords in the database while
// mcrypt is still available.
// Key used for encryption of passwords for password-protected feeds // Key used for encryption of passwords for password-protected feeds
// in the database. A string of 24 random characters. If left blank, encryption // in the database. A string of 24 random characters. If left blank, encryption
// is not used. Requires mcrypt functions. // is not used. Requires mcrypt functions.

View File

@ -18,19 +18,4 @@
return false; return false;
} }
function encrypt_string($str) {
$key = hash('SHA256', FEED_CRYPT_KEY, true);
$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,
MCRYPT_MODE_CBC), MCRYPT_RAND);
$encstr = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $str,
MCRYPT_MODE_CBC, $iv);
$iv_base64 = base64_encode($iv);
$encstr_base64 = base64_encode($encstr);
return "$iv_base64:$encstr_base64";
}
?> ?>

View File

@ -1749,14 +1749,7 @@
"SELECT id FROM ttrss_feeds "SELECT id FROM ttrss_feeds
WHERE feed_url = '$url' AND owner_uid = ".$_SESSION["uid"]); WHERE feed_url = '$url' AND owner_uid = ".$_SESSION["uid"]);
if (strlen(FEED_CRYPT_KEY) > 0) {
require_once "crypt.php";
$auth_pass = substr(encrypt_string($auth_pass), 0, 250);
$auth_pass_encrypted = 'true';
} else {
$auth_pass_encrypted = 'false'; $auth_pass_encrypted = 'false';
}
$auth_pass = db_escape_string($auth_pass); $auth_pass = db_escape_string($auth_pass);
if (db_num_rows($result) == 0) { if (db_num_rows($result) == 0) {

View File

@ -254,7 +254,7 @@
$auth_login = db_fetch_result($result, 0, "auth_login"); $auth_login = db_fetch_result($result, 0, "auth_login");
$auth_pass = db_fetch_result($result, 0, "auth_pass"); $auth_pass = db_fetch_result($result, 0, "auth_pass");
if ($auth_pass_encrypted) { if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
require_once "crypt.php"; require_once "crypt.php";
$auth_pass = decrypt_string($auth_pass); $auth_pass = decrypt_string($auth_pass);
} }
@ -347,7 +347,7 @@
$auth_login = db_fetch_result($result, 0, "auth_login"); $auth_login = db_fetch_result($result, 0, "auth_login");
$auth_pass = db_fetch_result($result, 0, "auth_pass"); $auth_pass = db_fetch_result($result, 0, "auth_pass");
if ($auth_pass_encrypted) { if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
require_once "crypt.php"; require_once "crypt.php";
$auth_pass = decrypt_string($auth_pass); $auth_pass = decrypt_string($auth_pass);
} }

View File

@ -128,12 +128,6 @@
$finished = false; $finished = false;
if (function_exists("mcrypt_decrypt")) {
$crypt_key = make_password(24);
} else {
$crypt_key = "";
}
foreach ($data as $line) { foreach ($data as $line) {
if (preg_match("/define\('DB_TYPE'/", $line)) { if (preg_match("/define\('DB_TYPE'/", $line)) {
$rv .= "\tdefine('DB_TYPE', '$DB_TYPE');\n"; $rv .= "\tdefine('DB_TYPE', '$DB_TYPE');\n";
@ -149,8 +143,6 @@
$rv .= "\tdefine('DB_PORT', '$DB_PORT');\n"; $rv .= "\tdefine('DB_PORT', '$DB_PORT');\n";
} else if (preg_match("/define\('SELF_URL_PATH'/", $line)) { } else if (preg_match("/define\('SELF_URL_PATH'/", $line)) {
$rv .= "\tdefine('SELF_URL_PATH', '$SELF_URL_PATH');\n"; $rv .= "\tdefine('SELF_URL_PATH', '$SELF_URL_PATH');\n";
} else if (preg_match("/define\('FEED_CRYPT_KEY'/", $line)) {
$rv .= "\tdefine('FEED_CRYPT_KEY', '$crypt_key');\n";
} else if (!$finished) { } else if (!$finished) {
$rv .= "$line\n"; $rv .= "$line\n";
} }

View File

@ -38,6 +38,7 @@
"debug-feed:", "debug-feed:",
"force-refetch", "force-refetch",
"force-rehash", "force-rehash",
"decrypt-feeds",
"help"); "help");
foreach (PluginHost::getInstance()->get_commands() as $command => $data) { foreach (PluginHost::getInstance()->get_commands() as $command => $data) {
@ -91,6 +92,7 @@
print " --debug-feed N - perform debug update of feed N\n"; print " --debug-feed N - perform debug update of feed N\n";
print " --force-refetch - debug update: force refetch feed data\n"; print " --force-refetch - debug update: force refetch feed data\n";
print " --force-rehash - debug update: force rehash articles\n"; print " --force-rehash - debug update: force rehash articles\n";
print " --decrypt-feeds - decrypt feed passwords\n";
print " --help - show this help\n"; print " --help - show this help\n";
print "Plugin options:\n"; print "Plugin options:\n";
@ -402,6 +404,36 @@
update_rss_feed($feed); update_rss_feed($feed);
} }
if (isset($options["decrypt-feeds"])) {
$result = db_query("SELECT id, auth_pass FROM ttrss_feeds WHERE auth_pass_encrypted = true");
if (!function_exists("mcrypt_decrypt")) {
_debug("mcrypt functions not available.");
return;
}
require_once "crypt.php";
$total = 0;
db_query("BEGIN");
while ($line = db_fetch_assoc($result)) {
_debug("processing feed id " . $line["id"]);
$auth_pass = db_escape_string(decrypt_string($line["auth_pass"]));
db_query("UPDATE ttrss_feeds SET auth_pass_encrypted = false, auth_pass = '$auth_pass'
WHERE id = " . $line["id"]);
++$total;
}
db_query("COMMIT");
_debug("$total feeds processed.");
}
PluginHost::getInstance()->run_commands($options); PluginHost::getInstance()->run_commands($options);
if (file_exists(LOCK_DIRECTORY . "/$lock_filename")) if (file_exists(LOCK_DIRECTORY . "/$lock_filename"))