mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-02-01 00:51:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

Strengthen some crypto (#8061)

Browse Source 
For login, tokens, nonces
This commit is contained in:
Alexandre Alapetite
2025-10-04 14:32:18 +02:00
committed by GitHub
parent be49726ebb
commit 57e1a375cb
6 changed files with 8 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/Controllers/javascriptController.php
View File

@@ -74,12 +74,11 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
$user_conf = get_user_configuration($user);
if ($user_conf !== null) {
try {
$salt = FreshRSS_Context::systemConf()->salt;
$s = $user_conf->passwordHash;
if (strlen($s) >= 60) {
//CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
$this->view->salt1 = substr($s, 0, 29);
$this->view->nonce = sha1($salt . uniqid('' . mt_rand(), true));
$this->view->nonce = hash('sha256', FreshRSS_Context::systemConf()->salt . $user . random_bytes(32));
Minz_Session::_param('nonce', $this->view->nonce);
return; //Success
}
@@ -95,7 +94,7 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
for ($i = 22; $i > 0; $i--) {
$this->view->salt1 .= $alphabet[random_int(0, 63)];
}
$this->view->nonce = sha1('' . mt_rand());
$this->view->nonce = hash('sha256', 'failure' . rand());
Minz_Session::_param('nonce', $this->view->nonce);
}
}