summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Install
diff options
context:
space:
mode:
authorMax Kanat-Alexander <mkanat@bugzilla.org>2011-01-24 22:43:38 +0100
committerMax Kanat-Alexander <mkanat@bugzilla.org>2011-01-24 22:43:38 +0100
commit95b919c0b6b731d16e92dd748e654cefeba0bd32 (patch)
tree254f2da4d90de25ae6700464f5e6705f8be8a98e /Bugzilla/Install
parentad1e3aef99b806d7f4a5bd18aa0c8cc6102f62e6 (diff)
downloadbugzilla-95b919c0b6b731d16e92dd748e654cefeba0bd32.tar.gz
bugzilla-95b919c0b6b731d16e92dd748e654cefeba0bd32.tar.xz
Bug 619594: (CVE-2010-4568) [SECURITY] Improve the randomness of
generate_random_password, to protect against an account compromise issue and other critical vulnerabilities. r=LpSolit, a=LpSolit https://bugzilla.mozilla.org/show_bug.cgi?id=621591
Diffstat (limited to 'Bugzilla/Install')
-rw-r--r--Bugzilla/Install/Localconfig.pm13
-rw-r--r--Bugzilla/Install/Requirements.pm6
2 files changed, 17 insertions, 2 deletions
diff --git a/Bugzilla/Install/Localconfig.pm b/Bugzilla/Install/Localconfig.pm
index 956d3c72e..3ce12207e 100644
--- a/Bugzilla/Install/Localconfig.pm
+++ b/Bugzilla/Install/Localconfig.pm
@@ -109,7 +109,9 @@ use constant LOCALCONFIG_VARS => (
},
{
name => 'site_wide_secret',
- default => sub { generate_random_password(256) },
+ # 64 characters is roughly the equivalent of a 384-bit key, which
+ # is larger than anybody would ever be able to brute-force.
+ default => sub { generate_random_password(64) },
},
);
@@ -210,7 +212,14 @@ sub update_localconfig {
my @new_vars;
foreach my $var (LOCALCONFIG_VARS) {
my $name = $var->{name};
- if (!defined $localconfig->{$name}) {
+ my $value = $localconfig->{$name};
+ # Regenerate site_wide_secret if it was made by our old, weak
+ # generate_random_password. Previously we used to generate
+ # a 256-character string for site_wide_secret.
+ $value = undef if ($name eq 'site_wide_secret' and defined $value
+ and length($value) == 256);
+
+ if (!defined $value) {
push(@new_vars, $name);
$var->{default} = &{$var->{default}} if ref($var->{default}) eq 'CODE';
if (exists $answer->{$name}) {
diff --git a/Bugzilla/Install/Requirements.pm b/Bugzilla/Install/Requirements.pm
index f45360916..e3049f2d5 100644
--- a/Bugzilla/Install/Requirements.pm
+++ b/Bugzilla/Install/Requirements.pm
@@ -157,6 +157,12 @@ sub REQUIRED_MODULES {
module => 'List::MoreUtils',
version => 0.22,
},
+ {
+ package => 'Math-Random-Secure',
+ module => 'Math::Random::Secure',
+ # This is the first version that installs properly on Windows.
+ version => '0.05',
+ },
);
my $extra_modules = _get_extension_requirements('REQUIRED_MODULES');