fix: Remove the default defined salt #625

2016-07-20 11:17:23 +02:00 · 2016-07-20 11:17:23 +02:00 · 4f169a8ffa
parent af2f355cb4
commit 4f169a8ffa
3 changed files with 7 additions and 3 deletions
--- a/app/Config/config.default.php
+++ b/app/Config/config.default.php
@ -4,7 +4,7 @@ $config = array (
  'Security' =>
  array (
    'level' => 'medium',
-    'salt' => 'Rooraenietu8Eeyo<Qu2eeNfterd-dd+',
+    'salt' => '',
    'cipherSeed' => '',
    //'auth'=>array('CertAuth.Certificate'), // additional authentication methods
  ),
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@ -81,6 +81,11 @@ class AppController extends Controller {
 		$this->loadModel('User');
 		$auth_user_fields = $this->User->describeAuthFields();

+        //if fresh installation (salt empty) generate a new salt
+        if (!Configure::read('Security.salt')) {
+            $this->loadModel('Server');
+            $this->Server->serverSettingsSaveValue('Security.salt', $this->User->generateRandomPassword(32));
+        }
 		// check if Apache provides kerberos authentication data
 		$envvar = Configure::read('ApacheSecureAuth.apacheEnv');
 		if (isset($_SERVER[$envvar])) {
--- a/app/Model/User.php
+++ b/app/Model/User.php
@ -431,8 +431,7 @@ class User extends AppModel {
 		return $key;
 	}

-	public function generateRandomPassword() {
-		$length = 12;
+	public function generateRandomPassword($length = 12) {
 		$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-+=!@#$%&*()<>/?';
 		$charLen = strlen($characters) - 1;
 		$key = '';