From c0642e4f0f57e25054a2a99a7dd037bf5ddd94f7 Mon Sep 17 00:00:00 2001
From: real_nowhereman <real_nowhereman@aa359531-4221-0410-9edc-b0b45c38dadb>
Date: Sun, 10 Feb 2008 14:20:09 +0000
Subject: [PATCH] huge security commit, this should be an almost hassle-free
 hash salt: the salt is created on setup and then STORED in
 fp-content/config/hashsalt.conf.php (you can change the name of the file from
 defaults.php);

as salt is based on the path on the server, if you had to move to another directory or to another server, then you wouldn't be able to login anymore and you had to reinstall, now this shouldn't be needed anymore; moreover as this is now safe in a file we can add additional security by
* concatenating the default paths+random blog id to another random number, which is not written anywhere else
* changing the contents with your very own salt string: then re-run setup and overwrite your old user: the hashsalt won't be overwritten (this needs testing)
---
 defaults.php                                 |  1 +
 fp-includes/core/core.system.php             |  9 +++++++
 fp-includes/core/core.wp-pluggable-funcs.php |  9 +++++--
 setup/lib/main.lib.php                       | 14 ++++++-----
 setup/lib/step2.lib.php                      | 25 ++++++++++++--------
 5 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/defaults.php b/defaults.php
index 4525d92..12c8255 100755
--- a/defaults.php
+++ b/defaults.php
@@ -40,6 +40,7 @@
 	// blog configurations files
 	define('CONFIG_DIR', FP_CONTENT . 'config/');  //must be chmodded to 0777
 	define('CONFIG_FILE', CONFIG_DIR . 'settings.conf.php'); 
+	define('HASHSALT_FILE', CONFIG_DIR . 'hashsalt.conf.php'); 
 	define('CONFIG_DEFAULT', FP_DEFAULTS. 'settings-defaults.php');
 	define('USERS_DIR', FP_CONTENT . 'users/');
 	
diff --git a/fp-includes/core/core.system.php b/fp-includes/core/core.system.php
index 4cbafbf..4efcd94 100755
--- a/fp-includes/core/core.system.php
+++ b/fp-includes/core/core.system.php
@@ -63,6 +63,15 @@
 		//} else die('Wrong number of parameters!');
 			
 	}
+
+	function system_hashsalt_save($force=false) {
+		global $fp_config;
+		if ($force || !file_exists(HASHSALT_FILE))
+			return system_save(HASHSALT_FILE, array('fp_hashsalt'=>$fp_config['general']['blogid'] . ABS_PATH . BLOG_BASEURL .mt_rand()));	
+		return true;
+	}
+
+
 	
 	define('SYSTEM_VER', '0.704');
 	function system_ver() {
diff --git a/fp-includes/core/core.wp-pluggable-funcs.php b/fp-includes/core/core.wp-pluggable-funcs.php
index 3982194..2b32955 100755
--- a/fp-includes/core/core.wp-pluggable-funcs.php
+++ b/fp-includes/core/core.wp-pluggable-funcs.php
@@ -340,8 +340,13 @@ if ( !function_exists('wp_salt') ) :
 function wp_salt() {
 	global $fp_config;
 	static $salt = null;
-	if (!$salt)
-		$salt = $fp_config['general']['blogid'] . ABS_PATH . BLOG_BASEURL ;
+	if (!$salt) {
+		@include(HASHSALT_FILE);
+		if (!$fp_hashsalt)
+			trigger_error('Cannot load hash salt: reinstall FlatPress', E_USER_ERROR);
+			
+		$salt = $fp_hashsalt;
+	}
 	return $salt;
 }
 endif;
diff --git a/setup/lib/main.lib.php b/setup/lib/main.lib.php
index eec2981..3e82b47 100644
--- a/setup/lib/main.lib.php
+++ b/setup/lib/main.lib.php
@@ -128,7 +128,7 @@ function validate() {
 	$fp_config['general']['author'] = $user['userid'] = $_POST['fpuser'];
 	$user['password'] = $_POST['fppwd'];
 	
-	$user['www'] = $_POST['www'];
+	$fp_config['general']['www'] = $user['www'] = $www;
 	$fp_config['general']['email'] = $user['email'] = $_POST['email'];
 	
 	
@@ -140,13 +140,15 @@ function validate() {
 	
 	
 	$fp_config['general']['blogid'] = system_generate_id(	
-												BLOG_ROOT.
-												$user['www'].
-												$user['email'].
-												$user['userid'] 
-									);
+								BLOG_ROOT.
+								$user['www'].
+								$user['email'].
+								$user['userid'] 
+							);
 													
 	config_save();
+
+	system_hashsalt_save();
 	
 	user_add($user);
 	
diff --git a/setup/lib/step2.lib.php b/setup/lib/step2.lib.php
index 284a598..3f7c7c6 100644
--- a/setup/lib/step2.lib.php
+++ b/setup/lib/step2.lib.php
@@ -12,18 +12,23 @@
 			entry_save(array(
 				'subject' => $vl['entry']['subject'],
 				'content' => $vl['entry']['content']
-			));	
-			static_save(array(
-				'subject' => $vl['menu']['subject'],
-				'content' => $vl['menu']['content']
-			), 'menu');
-			static_save(array(
-				'subject' => $vl['about']['subject'],
-				'content' => $vl['about']['content']
-			), 'about');
+			));
+			
+			if (!static_exists('menu')) {	
+				static_save(array(
+					'subject' => $vl['menu']['subject'],
+					'content' => $vl['menu']['content']
+				), 'menu');
+			}
+			if (!static_exists('about')) {
+				static_save(array(
+					'subject' => $vl['about']['subject'],
+					'content' => $vl['about']['content']
+				), 'about');
+			}
 		}
 		
 		return $validate;
 	}
 
-?>
\ No newline at end of file
+?>