diff options
author | Max Kanat-Alexander <mkanat@bugzilla.org> | 2011-01-24 22:43:38 +0100 |
---|---|---|
committer | Max Kanat-Alexander <mkanat@bugzilla.org> | 2011-01-24 22:43:38 +0100 |
commit | 95b919c0b6b731d16e92dd748e654cefeba0bd32 (patch) | |
tree | 254f2da4d90de25ae6700464f5e6705f8be8a98e /Bugzilla/Install | |
parent | ad1e3aef99b806d7f4a5bd18aa0c8cc6102f62e6 (diff) | |
download | bugzilla-95b919c0b6b731d16e92dd748e654cefeba0bd32.tar.gz bugzilla-95b919c0b6b731d16e92dd748e654cefeba0bd32.tar.xz |
Bug 619594: (CVE-2010-4568) [SECURITY] Improve the randomness of
generate_random_password, to protect against an account compromise issue
and other critical vulnerabilities.
r=LpSolit, a=LpSolit
https://bugzilla.mozilla.org/show_bug.cgi?id=621591
Diffstat (limited to 'Bugzilla/Install')
-rw-r--r-- | Bugzilla/Install/Localconfig.pm | 13 | ||||
-rw-r--r-- | Bugzilla/Install/Requirements.pm | 6 |
2 files changed, 17 insertions, 2 deletions
diff --git a/Bugzilla/Install/Localconfig.pm b/Bugzilla/Install/Localconfig.pm index 956d3c72e..3ce12207e 100644 --- a/Bugzilla/Install/Localconfig.pm +++ b/Bugzilla/Install/Localconfig.pm @@ -109,7 +109,9 @@ use constant LOCALCONFIG_VARS => ( }, { name => 'site_wide_secret', - default => sub { generate_random_password(256) }, + # 64 characters is roughly the equivalent of a 384-bit key, which + # is larger than anybody would ever be able to brute-force. + default => sub { generate_random_password(64) }, }, ); @@ -210,7 +212,14 @@ sub update_localconfig { my @new_vars; foreach my $var (LOCALCONFIG_VARS) { my $name = $var->{name}; - if (!defined $localconfig->{$name}) { + my $value = $localconfig->{$name}; + # Regenerate site_wide_secret if it was made by our old, weak + # generate_random_password. Previously we used to generate + # a 256-character string for site_wide_secret. + $value = undef if ($name eq 'site_wide_secret' and defined $value + and length($value) == 256); + + if (!defined $value) { push(@new_vars, $name); $var->{default} = &{$var->{default}} if ref($var->{default}) eq 'CODE'; if (exists $answer->{$name}) { diff --git a/Bugzilla/Install/Requirements.pm b/Bugzilla/Install/Requirements.pm index f45360916..e3049f2d5 100644 --- a/Bugzilla/Install/Requirements.pm +++ b/Bugzilla/Install/Requirements.pm @@ -157,6 +157,12 @@ sub REQUIRED_MODULES { module => 'List::MoreUtils', version => 0.22, }, + { + package => 'Math-Random-Secure', + module => 'Math::Random::Secure', + # This is the first version that installs properly on Windows. + version => '0.05', + }, ); my $extra_modules = _get_extension_requirements('REQUIRED_MODULES'); |