From e4ec6f0b632b981a0324b8728e10dd416fb4085b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?= Date: Wed, 3 May 2023 12:01:36 +0200 Subject: [PATCH 1/3] use instance_unique_id --- htdocs/core/lib/security.lib.php | 16 ++++++++-------- htdocs/user/class/user.class.php | 10 +++++----- htdocs/user/passwordforgotten.php | 6 +++--- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index f75bb21eae9..22b32e14f51 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -108,11 +108,11 @@ function dolGetRandomBytes($length) /** * Encode a string with a symetric encryption. Used to encrypt sensitive data into database. - * Note: If a backup is restored onto another instance with a different $dolibarr_main_instance_unique_id, then decoded value will differ. + * Note: If a backup is restored onto another instance with a different $conf->file->instance_unique_id, then decoded value will differ. * This function is called for example by dol_set_const() when saving a sensible data into database configuration table llx_const. * * @param string $chain string to encode - * @param string $key If '', we use $dolibarr_main_instance_unique_id + * @param string $key If '', we use $conf->file->instance_unique_id * @param string $ciphering Default ciphering algorithm * @param string $forceseed To force the seed * @return string encoded string @@ -120,7 +120,7 @@ function dolGetRandomBytes($length) */ function dolEncrypt($chain, $key = '', $ciphering = 'AES-256-CTR', $forceseed = '') { - global $dolibarr_main_instance_unique_id; + global $conf; global $dolibarr_disable_dolcrypt_for_debug; if ($chain === '' || is_null($chain)) { @@ -134,7 +134,7 @@ function dolEncrypt($chain, $key = '', $ciphering = 'AES-256-CTR', $forceseed = } if (empty($key)) { - $key = $dolibarr_main_instance_unique_id; + $key = $conf->file->instance_unique_id; } if (empty($ciphering)) { $ciphering = 'AES-256-CTR'; @@ -165,23 +165,23 @@ function dolEncrypt($chain, $key = '', $ciphering = 'AES-256-CTR', $forceseed = /** * Decode a string with a symetric encryption. Used to decrypt sensitive data saved into database. - * Note: If a backup is restored onto another instance with a different $dolibarr_main_instance_unique_id, then decoded value will differ. + * Note: If a backup is restored onto another instance with a different $conf->file->instance_unique_id, then decoded value will differ. * * @param string $chain string to encode - * @param string $key If '', we use $dolibarr_main_instance_unique_id + * @param string $key If '', we use $conf->file->instance_unique_id * @return string encoded string * @see dolEncrypt(), dol_hash() */ function dolDecrypt($chain, $key = '') { - global $dolibarr_main_instance_unique_id; + global $conf; if ($chain === '' || is_null($chain)) { return ''; } if (empty($key)) { - $key = $dolibarr_main_instance_unique_id; + $key = $conf->file->instance_unique_id; } $reg = array(); diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 9d70d846050..ced127036b7 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -2451,11 +2451,11 @@ class User extends CommonObject dol_syslog(get_class($this)."::send_password changelater is off, url=".$url); } else { - global $dolibarr_main_instance_unique_id; + global $conf; - //print $password.'-'.$this->id.'-'.$dolibarr_main_instance_unique_id; + //print $password.'-'.$this->id.'-'.$conf->file->instance_unique_id; $url = $urlwithroot.'/user/passwordforgotten.php?action=validatenewpassword'; - $url .= '&username='.urlencode($this->login)."&passworduidhash=".urlencode(dol_hash($password.'-'.$this->id.'-'.$dolibarr_main_instance_unique_id)); + $url .= '&username='.urlencode($this->login)."&passworduidhash=".urlencode(dol_hash($password.'-'.$this->id.'-'.$conf->file->instance_unique_id)); if (isModEnabled('multicompany')) { $url .= '&entity='.(!empty($this->entity) ? $this->entity : 1); } @@ -3894,10 +3894,10 @@ class User extends CommonObject */ public function getOnlineVirtualCardUrl($mode = '', $typeofurl = 'external') { - global $dolibarr_main_instance_unique_id, $dolibarr_main_url_root; + global $dolibarr_main_url_root; global $conf; - $encodedsecurekey = dol_hash($dolibarr_main_instance_unique_id.'uservirtualcard'.$this->id.'-'.$this->login, 'md5'); + $encodedsecurekey = dol_hash($conf->file->instance_unique_id.'uservirtualcard'.$this->id.'-'.$this->login, 'md5'); if (isModEnabled('multicompany')) { $entity_qr = '&entity='.((int) $conf->entity); } else { diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index 3f2d9e4059f..c7a132feee2 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -94,10 +94,10 @@ if (empty($reshook)) { if ($result < 0) { $message = '
'.dol_escape_htmltag($langs->trans("ErrorTechnicalError")).'
'; } else { - global $dolibarr_main_instance_unique_id; + global $conf; - //print $edituser->pass_temp.'-'.$edituser->id.'-'.$dolibarr_main_instance_unique_id.' '.$passworduidhash; - if ($edituser->pass_temp && dol_verifyHash($edituser->pass_temp.'-'.$edituser->id.'-'.$dolibarr_main_instance_unique_id, $passworduidhash)) { + //print $edituser->pass_temp.'-'.$edituser->id.'-'.$conf->file->instance_unique_id.' '.$passworduidhash; + if ($edituser->pass_temp && dol_verifyHash($edituser->pass_temp.'-'.$edituser->id.'-'.$conf->file->instance_unique_id, $passworduidhash)) { // Clear session unset($_SESSION['dol_login']); $_SESSION['dol_loginmesg'] = ''.$langs->transnoentitiesnoconv('NewPasswordValidated'); // Save message for the session page From fe6e31a81d24ed1a4ce1acbaa4e7c80bbf785cb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?= Date: Wed, 3 May 2023 12:29:11 +0200 Subject: [PATCH 2/3] fix install --- htdocs/install/inc.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php index 1f17374728b..4173955cbb3 100644 --- a/htdocs/install/inc.php +++ b/htdocs/install/inc.php @@ -407,6 +407,8 @@ function conf($dolibarr_main_document_root) global $dolibarr_main_db_user; global $dolibarr_main_db_pass; global $character_set_client; + global $dolibarr_main_instance_unique_id; + global $dolibarr_main_cookie_cryptkey; $return = include_once $dolibarr_main_document_root.'/core/class/conf.class.php'; if (!$return) { @@ -429,6 +431,8 @@ function conf($dolibarr_main_document_root) $character_set_client = "UTF-8"; } $conf->file->character_set_client = strtoupper($character_set_client); + // Unique id of instance + $conf->file->instance_unique_id = empty($dolibarr_main_instance_unique_id) ? (empty($dolibarr_main_cookie_cryptkey) ? '' : $dolibarr_main_cookie_cryptkey) : $dolibarr_main_instance_unique_id; if (empty($dolibarr_main_db_character_set)) { $dolibarr_main_db_character_set = ($conf->db->type == 'mysqli' ? 'utf8' : ''); } From 9d29ae8f1046c14634f638817733d906c9830869 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?= Date: Wed, 3 May 2023 14:22:30 +0200 Subject: [PATCH 3/3] wip --- htdocs/core/modules/mailings/modules_mailings.php | 3 +-- htdocs/core/tpl/passwordreset.tpl.php | 6 +++--- htdocs/public/users/view.php | 4 ++-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/htdocs/core/modules/mailings/modules_mailings.php b/htdocs/core/modules/mailings/modules_mailings.php index 5a99a44dc0f..28c9e6cc034 100644 --- a/htdocs/core/modules/mailings/modules_mailings.php +++ b/htdocs/core/modules/mailings/modules_mailings.php @@ -180,7 +180,6 @@ class MailingTargets // This can't be abstract as it is used for some method public function addTargetsToDatabase($mailing_id, $cibles) { global $conf; - global $dolibarr_main_instance_unique_id; $this->db->begin(); @@ -203,7 +202,7 @@ class MailingTargets // This can't be abstract as it is used for some method $sql .= "'".$this->db->escape($targetarray['other'])."',"; $sql .= "'".$this->db->escape($targetarray['source_url'])."',"; $sql .= (empty($targetarray['source_id']) ? 'null' : "'".$this->db->escape($targetarray['source_id'])."'").","; - $sql .= "'".$this->db->escape(dol_hash($dolibarr_main_instance_unique_id.";".$targetarray['email'].";".$targetarray['lastname'].";".((int) $mailing_id).";".getDolGlobalString('MAILING_EMAIL_UNSUBSCRIBE_KEY'), 'md5'))."',"; + $sql .= "'".$this->db->escape(dol_hash($conf->file->instance_unique_id.";".$targetarray['email'].";".$targetarray['lastname'].";".((int) $mailing_id).";".getDolGlobalString('MAILING_EMAIL_UNSUBSCRIBE_KEY'), 'md5'))."',"; $sql .= "'".$this->db->escape($targetarray['source_type'])."')"; dol_syslog(__METHOD__, LOG_DEBUG); $result = $this->db->query($sql); diff --git a/htdocs/core/tpl/passwordreset.tpl.php b/htdocs/core/tpl/passwordreset.tpl.php index 96cde6cf032..901a085ee33 100644 --- a/htdocs/core/tpl/passwordreset.tpl.php +++ b/htdocs/core/tpl/passwordreset.tpl.php @@ -97,10 +97,10 @@ if ($setnewpassword && $username && $passworduidhash) { if ($result < 0) { $message = '
'.dol_escape_htmltag($langs->trans("ErrorTechnicalError")).'
'; } else { - global $dolibarr_main_instance_unique_id; + global $conf; - //print $edituser->pass_temp.'-'.$edituser->id.'-'.$dolibarr_main_instance_unique_id.' '.$passworduidhash; - if ($edituser->pass_temp && dol_verifyHash($edituser->pass_temp.'-'.$edituser->id.'-'.$dolibarr_main_instance_unique_id, $passworduidhash)) { + //print $edituser->pass_temp.'-'.$edituser->id.'-'.$conf->file->instance_unique_id.' '.$passworduidhash; + if ($edituser->pass_temp && dol_verifyHash($edituser->pass_temp.'-'.$edituser->id.'-'.$conf->file->instance_unique_id, $passworduidhash)) { // Clear session unset($_SESSION['dol_login']); diff --git a/htdocs/public/users/view.php b/htdocs/public/users/view.php index 4da6d3baad9..c28175b898d 100644 --- a/htdocs/public/users/view.php +++ b/htdocs/public/users/view.php @@ -62,8 +62,8 @@ $object->fetch($id, '', '', 1); $urlwithroot = DOL_MAIN_URL_ROOT; // This is to use same domain name than current. For Paypal payment, we can use internal URL like localhost. // Security check -global $dolibarr_main_instance_unique_id; -$encodedsecurekey = dol_hash($dolibarr_main_instance_unique_id.'uservirtualcard'.$object->id.'-'.$object->login, 'md5'); +global $conf; +$encodedsecurekey = dol_hash($conf->file->instance_unique_id.'uservirtualcard'.$object->id.'-'.$object->login, 'md5'); if ($encodedsecurekey != $securekey) { httponly_accessforbidden('Bad value for securitykey or public profile not enabled'); }