Fix: #0017382: install.php: do not send the value of crypto_master_sa…

…lt over http
mantisbt · May 31, 2014 · e5876f0 · e5876f0
1 parent f725b46
commit e5876f0
Showing 1 changed file with 16 additions and 24 deletions.
diff --git a/admin/install.php b/admin/install.php
@@ -179,7 +179,6 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	$f_db_username            = config_get( 'db_username', '' );
 	$f_db_password            = config_get( 'db_password', '' );
 	$f_timezone               = config_get( 'default_timezone', '' );
-	$f_crypto_master_salt     = config_get( 'crypto_master_salt', '' );
 
 	# Set default prefix/suffix form variables ($f_db_table_XXX)
 	foreach( $t_prefix_defaults['other'] as $t_key => $t_value ) {
@@ -198,7 +197,6 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 		$f_db_password = config_get( 'db_password' );
 	}
 	$f_timezone           = gpc_get( 'timezone', config_get( 'default_timezone' ) );
-	$f_crypto_master_salt = gpc_get( 'crypto_master_salt', config_get( 'crypto_master_salt' ) );
 
 	# Set default prefix/suffix form variables ($f_db_table_XXX)
 	$t_prefix_type = $f_db_type == 'oci8' ? $f_db_type : 'other';
@@ -645,27 +643,6 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 		</select>
 	</td>
 </tr>
-
-<!-- Cryptographic salt -->
-<tr>
-	<td>
-		Master salt value for cryptographic hashing
-		(Refer to documentation for details)
-	</td>
-	<td>
-<?php
-	# Automatically generate a strong master salt/nonce for MantisBT
-	# cryptographic purposes. If a strong source of randomness is not
-	# available the user will have to manually set this value post
-	# installation.
-	$t_crypto_master_salt = crypto_generate_random_string(32);
-	if ( $t_crypto_master_salt !== null ) {
-		$t_crypto_master_salt = base64_encode( $t_crypto_master_salt );
-	}
-?>
-		<input name="crypto_master_salt" type="textbox" size=40 value="<?php echo $t_crypto_master_salt; ?>">
-	</td>
-</tr>
 <?php
 } # end install-only fields
 ?>
@@ -1063,6 +1040,15 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 <?php
 	# Generating the config_inc.php file
 
+	# Automatically generate a strong master salt/nonce for MantisBT
+	# cryptographic purposes. If a strong source of randomness is not
+	# available the user will have to manually set this value post
+	# installation.
+	$t_crypto_master_salt = crypto_generate_random_string(32);
+	if ( $t_crypto_master_salt !== null ) {
+		$t_crypto_master_salt = base64_encode( $t_crypto_master_salt );
+	}
+
 	$t_config = '<?php' . PHP_EOL
 		. "\$g_hostname               = '$f_hostname';" . PHP_EOL
 		. "\$g_db_type                = '$f_db_type';" . PHP_EOL
@@ -1095,7 +1081,7 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	$t_config .=
 		  "\$g_default_timezone       = '$f_timezone';" . PHP_EOL
 		. PHP_EOL
-		. "\$g_crypto_master_salt     = '" . addslashes( $f_crypto_master_salt ) . "';" . PHP_EOL;
+		. "\$g_crypto_master_salt     = '" . addslashes( $t_crypto_master_salt ) . "';" . PHP_EOL;
 
 	$t_write_failed = true;
 
@@ -1128,6 +1114,12 @@ function print_test( $p_test_description, $p_result, $p_hard_fail = true, $p_mes
 	?>
 </tr>
 <?php
+	if( $t_crypto_master_salt === null ) {
+		print_test( 'Setting Cryptographic salt in config file', false , false,
+					'Unable to find a random number source for cryptographic purposes. You will need to edit ' .
+					$g_config_path . 'config_inc.php' . ' and set a value for $g_crypto_master_salt manually' );
+	}
+
 	if( true == $t_write_failed ) {
 ?>
 <tr>