huge security commit, this should be an almost hassle-free hash salt: the salt is created on setup and then STORED in fp-content/config/hashsalt.conf.php

(you can change the name of the file from defaults.php); as salt is based on the path on the server, if you had to move to another directory or to another server, then you wouldn't be able to login anymore and you had to reinstall, now this shouldn't be needed anymore; moreover as this is now safe in a file we can add additional security by * concatenating the default paths+random blog id to another random number, which is not written anywhere else * changing the contents with your very own salt string: then re-run setup and overwrite your old user: the hashsalt won't be overwritten (this needs testing)
2008-02-10 14:20:09 +00:00 · 2008-02-10 14:20:09 +00:00 · c0642e4f0f
commit c0642e4f0f
parent cacf56f276
5 changed files with 40 additions and 18 deletions
--- a/defaults.php
+++ b/defaults.php
@ -40,6 +40,7 @@
 	// blog configurations files
 	define('CONFIG_DIR', FP_CONTENT . 'config/');  //must be chmodded to 0777
 	define('CONFIG_FILE', CONFIG_DIR . 'settings.conf.php'); 
+	define('HASHSALT_FILE', CONFIG_DIR . 'hashsalt.conf.php'); 
 	define('CONFIG_DEFAULT', FP_DEFAULTS. 'settings-defaults.php');
 	define('USERS_DIR', FP_CONTENT . 'users/');
 	
--- a/fp-includes/core/core.system.php
+++ b/fp-includes/core/core.system.php
@ -64,6 +64,15 @@
 			
 	}

+	function system_hashsalt_save($force=false) {
+		global $fp_config;
+		if ($force || !file_exists(HASHSALT_FILE))
+			return system_save(HASHSALT_FILE, array('fp_hashsalt'=>$fp_config['general']['blogid'] . ABS_PATH . BLOG_BASEURL .mt_rand()));	
+		return true;
+	}
+
+
+	
 	define('SYSTEM_VER', '0.704');
 	function system_ver() {
 		return 'fp-' . SYSTEM_VER;
--- a/fp-includes/core/core.wp-pluggable-funcs.php
+++ b/fp-includes/core/core.wp-pluggable-funcs.php
@ -340,8 +340,13 @@ if ( !function_exists('wp_salt') ) :
 function wp_salt() {
 	global $fp_config;
 	static $salt = null;
-	if (!$salt)
-		$salt = $fp_config['general']['blogid'] . ABS_PATH . BLOG_BASEURL ;
+	if (!$salt) {
+		@include(HASHSALT_FILE);
+		if (!$fp_hashsalt)
+			trigger_error('Cannot load hash salt: reinstall FlatPress', E_USER_ERROR);
+			
+		$salt = $fp_hashsalt;
+	}
 	return $salt;
 }
 endif;
--- a/setup/lib/main.lib.php
+++ b/setup/lib/main.lib.php
@ -128,7 +128,7 @@ function validate() {
 	$fp_config['general']['author'] = $user['userid'] = $_POST['fpuser'];
 	$user['password'] = $_POST['fppwd'];
 	
-	$user['www'] = $_POST['www'];
+	$fp_config['general']['www'] = $user['www'] = $www;
 	$fp_config['general']['email'] = $user['email'] = $_POST['email'];
 	
 	
@ -140,14 +140,16 @@ function validate() {
 	
 	
 	$fp_config['general']['blogid'] = system_generate_id(	
-												BLOG_ROOT.
-												$user['www'].
-												$user['email'].
-												$user['userid'] 
-									);
+								BLOG_ROOT.
+								$user['www'].
+								$user['email'].
+								$user['userid'] 
+							);
 													
 	config_save();

+	system_hashsalt_save();
+	
 	user_add($user);
 	
 	return true;
--- a/setup/lib/step2.lib.php
+++ b/setup/lib/step2.lib.php
@ -13,14 +13,19 @@
 				'subject' => $vl['entry']['subject'],
 				'content' => $vl['entry']['content']
 			));
-			static_save(array(
-				'subject' => $vl['menu']['subject'],
-				'content' => $vl['menu']['content']
-			), 'menu');
-			static_save(array(
-				'subject' => $vl['about']['subject'],
-				'content' => $vl['about']['content']
-			), 'about');
+			
+			if (!static_exists('menu')) {	
+				static_save(array(
+					'subject' => $vl['menu']['subject'],
+					'content' => $vl['menu']['content']
+				), 'menu');
+			}
+			if (!static_exists('about')) {
+				static_save(array(
+					'subject' => $vl['about']['subject'],
+					'content' => $vl['about']['content']
+				), 'about');
+			}
 		}
 		
 		return $validate;