From 03d086f741ea382ef2fc70af6395ec5cf2484695 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 24 Aug 2022 10:22:48 +0200
Subject: [PATCH] NEW Encrypt all sensitive constants in llx_const

---
 htdocs/admin/mailman.php                      |  2 +-
 htdocs/core/class/CMailFile.class.php         |  1 +
 htdocs/core/class/conf.class.php              |  5 +++--
 htdocs/core/lib/admin.lib.php                 | 20 +++++++++++++++----
 htdocs/core/lib/security2.lib.php             | 10 ++++++++++
 htdocs/core/modules/modAdherent.class.php     |  2 +-
 .../OAuth/Common/Storage/DoliStorage.php      |  7 +++++--
 .../install/mysql/migration/16.0.0-17.0.0.sql |  2 ++
 htdocs/langs/en_US/mailmanspip.lang           |  2 +-
 .../mailmanspip/class/mailmanspip.class.php   |  2 +-
 10 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/htdocs/admin/mailman.php b/htdocs/admin/mailman.php
index 8b003ce2d4e..eca17ea8e76 100644
--- a/htdocs/admin/mailman.php
+++ b/htdocs/admin/mailman.php
@@ -158,7 +158,7 @@ if (!empty($conf->global->ADHERENT_USE_MAILMAN)) {
 	$link .= '</a>';
 	// Edition des varibales globales
 	$constantes = array(
-		'ADHERENT_MAILMAN_ADMINPW',
+		'ADHERENT_MAILMAN_ADMIN_PASSWORD',
 		'ADHERENT_MAILMAN_URL',
 		'ADHERENT_MAILMAN_UNSUB_URL',
 		'ADHERENT_MAILMAN_LISTS'
diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php
index d9a21fdb71e..a9518ee6dab 100644
--- a/htdocs/core/class/CMailFile.class.php
+++ b/htdocs/core/class/CMailFile.class.php
@@ -1555,6 +1555,7 @@ class CMailFile
 
 			dol_syslog("Try socket connection to host=".$host." port=".$port);
 			//See if we can connect to the SMTP server
+			$errno = 0; $errstr = '';
 			if ($socket = @fsockopen(
 				$host, // Host to test, IP or domain. Add ssl:// for SSL/TLS.
 				$port, // which Port number to use
diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php
index e3063f6f4e2..626052551d5 100644
--- a/htdocs/core/class/conf.class.php
+++ b/htdocs/core/class/conf.class.php
@@ -255,6 +255,8 @@ class Conf
 		);
 
 		if (!is_null($db) && is_object($db)) {
+			include_once DOL_DOCUMENT_ROOT.'/core/lib/security.lib.php';
+
 			// Define all global constants into $this->global->key=value
 			$sql = "SELECT ".$db->decrypt('name')." as name,";
 			$sql .= " ".$db->decrypt('value')." as value, entity";
@@ -278,8 +280,7 @@ class Conf
 							$value = $_ENV['DOLIBARR_'.$key];
 						}
 
-						//if (! defined("$key")) define("$key", $value);	// In some cases, the constant might be already forced (Example: SYSLOG_HANDLERS during install)
-						$this->global->$key = $value;
+						$this->global->$key = dolDecrypt($value);
 
 						if ($value && strpos($key, 'MAIN_MODULE_') === 0) {
 							$reg = array();
diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php
index a68c268f8bd..53193db176c 100644
--- a/htdocs/core/lib/admin.lib.php
+++ b/htdocs/core/lib/admin.lib.php
@@ -603,7 +603,8 @@ function dolibarr_get_const($db, $name, $entity = 1)
 	if ($resql) {
 		$obj = $db->fetch_object($resql);
 		if ($obj) {
-			$value = $obj->value;
+			include_once DOL_DOCUMENT_ROOT.'/core/lib/security.lib.php';
+			$value = dolDecrypt($obj->value);
 		}
 	}
 	return $value;
@@ -651,11 +652,22 @@ function dolibarr_set_const($db, $name, $value, $type = 'chaine', $visible = 0,
 	$resql = $db->query($sql);
 
 	if (strcmp($value, '')) {	// true if different. Must work for $value='0' or $value=0
-		$sql = "INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity)";
+		if (!preg_match('/^MAIN_LOGEVENTS/', $name) && (preg_match('/(_KEY|_EXPORTKEY|_SECUREKEY|_SERVERKEY|_PASS|_PASSWORD|_PW|_PW_TICKET|_PW_EMAILING|_SECRET|_SECURITY_TOKEN|_WEB_TOKEN)$/', $name))) {
+			// This seems a sensitive constant, we encrypt its value
+			// To list all sensitive constant, you can make a
+			// WHERE name like '%\_KEY' or name like '%\_EXPORTKEY' or name like '%\_SECUREKEY' or name like '%\_SERVERKEY' or name like '%\_PASS' or name like '%\_PASSWORD' or name like '%\_SECRET'
+			// or name like '%\_SECURITY_TOKEN' or name like '%\WEB_TOKEN'
+			include_once DOL_DOCUMENT_ROOT.'/core/lib/security.lib.php';
+			$newvalue = dolEncrypt($value);
+		} else {
+			$newvalue = $value;
+		}
+
+		$sql = "INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity)";
 		$sql .= " VALUES (";
 		$sql .= $db->encrypt($name);
-		$sql .= ", ".$db->encrypt($value);
-		$sql .= ",'".$db->escape($type)."',".((int) $visible).",'".$db->escape($note)."',".((int) $entity).")";
+		$sql .= ", ".$db->encrypt($newvalue);
+		$sql .= ", '".$db->escape($type)."', ".((int) $visible).", '".$db->escape($note)."', ".((int) $entity).")";
 
 		//print "sql".$value."-".pg_escape_string($value)."-".$sql;exit;
 		//print "xx".$db->escape($value);
diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php
index 8f4abca6167..380282fc48b 100644
--- a/htdocs/core/lib/security2.lib.php
+++ b/htdocs/core/lib/security2.lib.php
@@ -374,13 +374,16 @@ function encodedecode_dbpassconf($level = 0)
 
 			$lineofpass = 0;
 
+			$reg = array();
 			if (preg_match('/^[^#]*dolibarr_main_db_encrypted_pass[\s]*=[\s]*(.*)/i', $buffer, $reg)) {	// Old way to save crypted value
 				$val = trim($reg[1]); // This also remove CR/LF
 				$val = preg_replace('/^["\']/', '', $val);
 				$val = preg_replace('/["\'][\s;]*$/', '', $val);
 				if (!empty($val)) {
 					$passwd_crypted = $val;
+					// method dol_encode/dol_decode
 					$val = dol_decode($val);
+					//$val = dolEncrypt($val);
 					$passwd = $val;
 					$lineofpass = 1;
 				}
@@ -389,10 +392,17 @@ function encodedecode_dbpassconf($level = 0)
 				$val = preg_replace('/^["\']/', '', $val);
 				$val = preg_replace('/["\'][\s;]*$/', '', $val);
 				if (preg_match('/crypted:/i', $buffer)) {
+					// method dol_encode/dol_decode
 					$val = preg_replace('/crypted:/i', '', $val);
 					$passwd_crypted = $val;
 					$val = dol_decode($val);
 					$passwd = $val;
+				} elseif (preg_match('/^dolcrypt:([^:]+):(.*)$/i', $buffer, $reg)) {
+					// method dolEncrypt/dolDecrypt
+					$val = preg_replace('/crypted:([^:]+):/i', '', $val);
+					$passwd_crypted = $val;
+					$val = dolDecrypt($buffer);
+					$passwd = $val;
 				} else {
 					$passwd = $val;
 					$val = dol_encode($val);
diff --git a/htdocs/core/modules/modAdherent.class.php b/htdocs/core/modules/modAdherent.class.php
index ec0546e9af1..a86c5162b01 100644
--- a/htdocs/core/modules/modAdherent.class.php
+++ b/htdocs/core/modules/modAdherent.class.php
@@ -145,7 +145,7 @@ class modAdherent extends DolibarrModules
 		$this->const[$r][4] = 0;
 		$r++;
 
-		$this->const[$r][0] = "ADHERENT_MAILMAN_ADMINPW";
+		$this->const[$r][0] = "ADHERENT_MAILMAN_ADMIN_PASSWORD";
 		$this->const[$r][1] = "chaine";
 		$this->const[$r][2] = "";
 		$this->const[$r][3] = "Mot de passe Admin des liste mailman";
diff --git a/htdocs/includes/OAuth/Common/Storage/DoliStorage.php b/htdocs/includes/OAuth/Common/Storage/DoliStorage.php
index 32422cf1712..3e09e53fbe6 100644
--- a/htdocs/includes/OAuth/Common/Storage/DoliStorage.php
+++ b/htdocs/includes/OAuth/Common/Storage/DoliStorage.php
@@ -104,7 +104,9 @@ class DoliStorage implements TokenStorageInterface
 		//var_dump($token);
 		dol_syslog("storeAccessToken service=".$service);
 
-		$serializedToken = serialize($token);
+		include_once DOL_DOCUMENT_ROOT.'/core/lib/security.lib.php';
+		$serializedToken = dolEncrypt(serialize($token));
+
 		$this->tokens[$service] = $token;
 
 		if (!is_array($this->tokens)) {
@@ -155,7 +157,8 @@ class DoliStorage implements TokenStorageInterface
 		}
 		$result = $this->db->fetch_array($resql);
 		if ($result) {
-			$token = unserialize($result['token']);
+			include_once DOL_DOCUMENT_ROOT.'/core/lib/security.lib.php';
+			$token = unserialize(dolDecrypt($result['token']));
 			$this->date_creation = $this->db->jdate($result['datec']);
 			$this->date_modification = $this->db->jdate($result['tms']);
 			$this->state = $result['state'];
diff --git a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
index d469b2de777..f0906b024bf 100644
--- a/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
+++ b/htdocs/install/mysql/migration/16.0.0-17.0.0.sql
@@ -55,6 +55,8 @@ ALTER TABLE llx_user DROP COLUMN idpers3;
 
 -- v17
 
+UPDATE llx_const set name = 'ADHERENT_MAILMAN_ADMIN_PASSWORD' WHERE name = 'ADHERENT_MAILMAN_ADMINPW';
+
 ALTER TABLE llx_oauth_token ADD COLUMN state text after tokenstring;
 
 ALTER TABLE llx_adherent ADD COLUMN default_lang VARCHAR(6) DEFAULT NULL AFTER datefin;
diff --git a/htdocs/langs/en_US/mailmanspip.lang b/htdocs/langs/en_US/mailmanspip.lang
index bab4b3576b4..6ff3ac9f770 100644
--- a/htdocs/langs/en_US/mailmanspip.lang
+++ b/htdocs/langs/en_US/mailmanspip.lang
@@ -7,7 +7,7 @@ MailmanCreationSuccess=Subscription test was executed successfully
 MailmanDeletionSuccess=Unsubscription test was executed successfully
 SynchroMailManEnabled=A Mailman update will be performed
 SynchroSpipEnabled=A Spip update will be performed
-DescADHERENT_MAILMAN_ADMINPW=Mailman administrator password
+DescADHERENT_MAILMAN_ADMIN_PASSWORD=Mailman administrator password
 DescADHERENT_MAILMAN_URL=URL for Mailman subscriptions
 DescADHERENT_MAILMAN_UNSUB_URL=URL for Mailman unsubscriptions
 DescADHERENT_MAILMAN_LISTS=List(s) for automatic inscription of new members (separated by a comma)
diff --git a/htdocs/mailmanspip/class/mailmanspip.class.php b/htdocs/mailmanspip/class/mailmanspip.class.php
index 9635c0e2c1f..bcfb1b83d6e 100644
--- a/htdocs/mailmanspip/class/mailmanspip.class.php
+++ b/htdocs/mailmanspip/class/mailmanspip.class.php
@@ -141,7 +141,7 @@ class MailmanSpip
 			$list,
 			$object->email,
 			$object->pass,
-			$conf->global->ADHERENT_MAILMAN_ADMINPW
+			$conf->global->ADHERENT_MAILMAN_ADMIN_PASSWORD
 		);
 
 		$curl_url = str_replace($patterns, $replace, $url);