-
-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure Cacti can support PHP 8 #4001
Comments
Maybe relevant note, this log is on arm64, I haven't seen the results yet on amd64. |
Thanks for the heads up @paulgevers. We'll get these fixed. |
The csfr-secret issue might be build related? |
Okay, the zlib issue should be resolved. However, I think that the csrf_magic.php issue might be a build issue. Cacti is supposed to have write access to be able to write the CSRF Secret file. Can you look into how you are doing that currently and report you findings @paulgevers? |
@TheWitness can you elaborate how this CSRF Secret file is supposed to work. It seems that it's unused in Debian, as the default file (which I don't change in the packaging) doesn't exist and indeed the default location isn't writable. I haven't heard complaints yet about stuff not working, so I wonder what this file is supposed to achieve. |
@paulgevers, it's the file that holds the post encryption key. It's pointed to in the config.php. It get's created at install time. So, if the default is used, the web server needs RW access to the vendor/csrf folder. It's defaulted to $CACTI_TOP/include/vendor/csrf. So, but you can move it to /etc/cacti where it belongs using the setting. Let me know if you need more details. The config.php variables is: $path_csrf_secret = '/etc/cacti/csrf-secret.php'; |
@TheWitness does this means that if it's missing, there's no encryption? In that case I guess I have created a security issue in the Debian packaging. |
I don't think so. See if the file 'csrf-secret.php' is found in $CACTI_TOP/include/vendor/csrf/. |
The file doesn't exist. |
@TheWitness just in case you didn't realize, in Debian we don't run the Cacti install process (because, at least in the past, that was doing all kind of things we handle at the package level). |
You can just call the |
Maybe we should have a CLI for this, to set/reset it from time to time. |
@TheWitness sure, I can fix it in future version, but, how bad is it for the installations out there that don't have this file? |
Maybe a CLI won't hurt for them, then you can either issue a bulletin, or app note. What do you think? |
O, for security updates, there's always an announcement from the security team. I'm more wondering is it so bad that I need to request a CVE and get an upload to stable via the security team. |
I think that's on you regardless, but we can support by giving a cli for a quick fix. |
We should log, and also have an admin alert in the case it's missing. Have to put a timer on it as that file is always loaded. |
I think @paulgevers in the past, you had to do a lot of our work to install automatically without a user. However, we do have the CLI installer now that can do that work for you to keep both a command line and web installation using the same code. As for the CSRF secret, if one exists, then it is used as an extra security layer but it does not NEED to exist (despite the thoughts to the contrary). If you wish to create a secret, it will make things more secure but I don't believe there is a hole without it. |
@TheWitness @netniV thanks for all the information. I'll look into running the CLI installer during the Debian package install process. |
@paulgevers, thanks for your continued support. I have committed a CLI script referenced in this commit. Feel free to close this when you are comfortable that you can move forward. Larry |
Let's close it for now. I'll report back when I have fixed the package and there are still issues. |
PHP8 makes Cacti spit out lots of errors and warnings (but otherwise succeeds)
In Debian Experimental, the default PHP was upgraded to PHP8 to check if its possible to upgrade PHP8 before the Debian Freeze (12 January 2021). It turns out that the testsuite I have for Cacti in the Debian package fails on PHP Errors and Warnings. This means by the way that the web pages seem to be successfully served, as the log check comes last. Although I worry especially about the CSRF errors.
To Reproduce
Recursive web crawl on a cacti site with PHP8 as the running PHP version
An example log can be found here. I'll copy/paste the first part below as that log is recycled after some time. Fresh logs are probably available here.
Expected behavior
No new Error (and ideally no new Warning) messages compared to PHP7.
Desktop
Not applicable
Smartphone
Not applicable
Additional context
Headless server running Debian unstable with php-default packages from experimental.
The text was updated successfully, but these errors were encountered: