Allow packagers to be able to specify an alternate location of csrf-secret.php file

[ddb4github]

Describe the bug
csrf_get_secret function want to generate a secret file if not exist.
Installer should check cacti/include/vendor/csrf permission:
For install procedure only if installer create a secret file
Or always writable

[netniV]

Hmm, that sounds like an interesting problem. The issue being that the secret file is created for any forms. I think we would have to go back a step and put it into global.php as a fatal error given that from 1.2.x, you have to log in BEFORE the installer even starts.

@paulgevers do you do anything fancy with the CSRF package inclusion ? Do I need to check a different folder for the secret file and if its directory is writable?

[netniV]

@mortenstevens not one to leave you out, but do you strip out the vendor folder too?

[paulgevers]

Hi Mark,

On 18-10-2019 14:50, Mark Brugnoli-Vinten wrote: @paulgevers <https://github.com/paulgevers> do you do anything fancy with the CSRF package inclusion ? Do I need to check a different folder for the secret file and if its directory is writable?

I don't do anything specific with the CSRF in the Debian package, the files are installed like all the other Cacti files. So, no, Cacti doesn't have write access in that folder on Debian machines. If I understand your question correctly, we'll have to align on a writable location. Paul

[cigamit]

When install, I've never seen this problem since I set the ownership to apache:apache and therefore the csrf call always is able to generate the file. I wonder if we can relocate the file to /etc/cacti for debian and /var/www/html/cacti/include for base cacti?

[netniV]

As I said above, this is not an installer issue it's pre-installer, much like a database connection. If CSRF isn't available, you won't be able to log in. I'll try and review tonight what we can do about it.

[netniV]

Looking at the code in include/vendor/csrf/csrf-magic.php, it does already check that the directory is writable and only generates a secret if it is.

function csrf_get_secret() {
    if ($GLOBALS['csrf']['secret']) return $GLOBALS['csrf']['secret'];
    $dir = dirname(__FILE__);
    $file = $dir . '/csrf-secret.php';
    $secret = '';
    if (file_exists($file)) {
        include $file;
        return $secret;
    }
    if (is_writable($dir)) {
        $secret = csrf_generate_secret();
        $fh = fopen($file, 'w');
        fwrite($fh, '<?php $secret = "'.$secret.'";' . PHP_EOL);
        fclose($fh);
        return $secret;
    }
    return '';
}

So, I am now going to revise my previous answer and say that we can add this as a requirement check since the secret will not be generated and should still allow logging in.

I think it also needs adding to the tech support page to make sure it shows if the CSRF has actually been generated.

[cigamit]

Maybe we need to make this a config item in config.php. That way the package maintainers can locate in places like /etc/cacti for example.