From 1f2e87ec0985195a81799ce726895de3a0c92cee Mon Sep 17 00:00:00 2001 From: FrancescoUK Date: Mon, 7 Nov 2016 19:20:44 +0000 Subject: [PATCH] Encrypt email and sms passwords before saving to MySQL (#963) It also automatically generates an encryption key if not existing storing it in config/config.php in order to enable encryption. --- application/config/autoload.php | 2 +- application/controllers/Config.php | 77 +++++++++++++++++++++++++++-- application/controllers/Home.php | 4 +- application/libraries/Email_lib.php | 2 +- application/libraries/Sms_lib.php | 4 +- application/models/Employee.php | 2 +- 6 files changed, 81 insertions(+), 10 deletions(-) diff --git a/application/config/autoload.php b/application/config/autoload.php index ca97c6db8..090828883 100644 --- a/application/config/autoload.php +++ b/application/config/autoload.php @@ -58,7 +58,7 @@ $autoload['packages'] = array(); | | $autoload['libraries'] = array('user_agent' => 'ua'); */ -$autoload['libraries'] = array('database', 'form_validation', 'session', 'user_agent', 'pagination'); +$autoload['libraries'] = array('database', 'form_validation', 'session', 'user_agent', 'pagination', 'encryption'); /* | ------------------------------------------------------------------- diff --git a/application/controllers/Config.php b/application/controllers/Config.php index 9df7fcb0c..e07189a0e 100644 --- a/application/controllers/Config.php +++ b/application/controllers/Config.php @@ -183,7 +183,9 @@ class Config extends Secure_Controller $themes[$dirinfo->getFileName()] = $dirinfo->getFileName(); } } + asort($themes); + return $themes; } @@ -313,12 +315,19 @@ class Config extends Secure_Controller public function save_email() { + $password = ''; + + if($this->_check_encryption()) + { + $password = $this->encryption->encrypt($this->input->post('smtp_pass')); + } + $batch_save_data = array( 'protocol' => $this->input->post('protocol'), 'mailpath' => $this->input->post('mailpath'), 'smtp_host' => $this->input->post('smtp_host'), 'smtp_user' => $this->input->post('smtp_user'), - 'smtp_pass' => $this->input->post('smtp_pass'), + 'smtp_pass' => $password, 'smtp_port' => $this->input->post('smtp_port'), 'smtp_timeout' => $this->input->post('smtp_timeout'), 'smtp_crypto' => $this->input->post('smtp_crypto') @@ -332,10 +341,17 @@ class Config extends Secure_Controller public function save_message() { + $password = ''; + + if($this->_check_encryption()) + { + $password = $this->encryption->encrypt($this->input->post('msg_pwd')); + } + $batch_save_data = array( 'msg_msg' => $this->input->post('msg_msg'), 'msg_uid' => $this->input->post('msg_uid'), - 'msg_pwd' => $this->input->post('msg_pwd'), + 'msg_pwd' => $password, 'msg_src' => $this->input->post('msg_src') ); @@ -484,7 +500,62 @@ class Config extends Secure_Controller $this->upload->do_upload('company_logo'); return strlen($this->upload->display_errors()) == 0 || !strcmp($this->upload->display_errors(), '

'.$this->lang->line('upload_no_file_selected').'

'); - } + } + + private function _check_encryption() + { + $encryption_key = $this->config->item('encryption_key'); + + // check if the encryption_key config item is the default one + if($encryption_key == '' || $encryption_key == 'YOUR KEY') + { + // Config path + $config_path = APPPATH . 'config/config.php'; + + // Open the file + $config = file_get_contents($config_path); + + // $key will be assigned a 32-byte (256-bit) hex-encoded random key + $key = bin2hex($this->encryption->create_key(32)); + + // replace the empty placeholder with a real randomly generated encryption key + if($encryption_key == '') + { + $config = str_replace("['encryption_key'] = '';", "['encryption_key'] = '" . $key . "';", $config); + } + else + { + $config = str_replace("['encryption_key'] = 'YOUR KEY';", "['encryption_key'] = '" . $key . "';", $config); + } + + // set the encryption key in the config item + $this->config->set_item('encryption_key', $key); + + // Write the new config.php file + $handle = fopen($config_path, 'w+'); + + // Chmod the file + @chmod($config_path, 0777); + + $result = FALSE; + + // Verify file permissions + if(is_writable($config_path)) + { + // Write the file + $result = (fwrite($handle, $config) === FALSE) ? FALSE : TRUE; + } + + // Chmod the file + @chmod($config_path, 0444); + + fclose($handle); + + return $result; + } + + return TRUE; + } public function backup_db() { diff --git a/application/controllers/Home.php b/application/controllers/Home.php index 59ca39547..a2b812dfa 100644 --- a/application/controllers/Home.php +++ b/application/controllers/Home.php @@ -16,9 +16,9 @@ class Home extends Secure_Controller public function logout() { - $this->Employee->logout(); - $this->track_page('logout', 'logout'); + + $this->Employee->logout(); } } ?> \ No newline at end of file diff --git a/application/libraries/Email_lib.php b/application/libraries/Email_lib.php index cb155f0ca..2a8050391 100644 --- a/application/libraries/Email_lib.php +++ b/application/libraries/Email_lib.php @@ -18,7 +18,7 @@ class Email_lib 'mailpath' => $this->CI->config->item('mailpath'), 'smtp_host' => $this->CI->config->item('smtp_host'), 'smtp_user' => $this->CI->config->item('smtp_user'), - 'smtp_pass' => $this->CI->config->item('smtp_pass'), + 'smtp_pass' => $this->CI->encryption->decrypt($this->CI->config->item('smtp_pass')), 'smtp_port' => $this->CI->config->item('smtp_port'), 'smtp_timeout' => $this->CI->config->item('smtp_timeout'), 'smtp_crypto' => $this->CI->config->item('smtp_crypto') diff --git a/application/libraries/Sms_lib.php b/application/libraries/Sms_lib.php index 9888e42e6..8f1bbbea0 100644 --- a/application/libraries/Sms_lib.php +++ b/application/libraries/Sms_lib.php @@ -16,7 +16,7 @@ class Sms_lib public function sendSMS($phone, $message) { $username = $this->CI->config->item('msg_uid'); - $password = $this->CI->config->item('msg_pwd'); + $password = $this->CI->encryption->decrypt($this->CI->config->item('msg_pwd')); $originator = $this->CI->config->item('msg_src'); $response = FALSE; @@ -27,7 +27,7 @@ class Sms_lib //echo $username . ' ' . $password . ' ' . $phone . ' ' . $message . ' ' . $originator; } else - { + { $response = TRUE; // make sure passed string is url encoded diff --git a/application/models/Employee.php b/application/models/Employee.php index 9b720cd80..dfeec9ff7 100644 --- a/application/models/Employee.php +++ b/application/models/Employee.php @@ -298,7 +298,6 @@ class Employee extends Person */ public function login($username, $password) { - $query = $this->db->get_where('employees', array('username' => $username, 'deleted' => 0), 1); if($query->num_rows() == 1) @@ -332,6 +331,7 @@ class Employee extends Person public function logout() { $this->session->sess_destroy(); + redirect('login'); }