MDL-17203 hash salt added to calendar export

moodle · Dec 31, 2008 · b20c631 · b20c631
1 parent dbf9d4c
commit b20c631
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 3 deletions.
diff --git a/admin/settings/appearance.php b/admin/settings/appearance.php
@@ -45,6 +45,7 @@
     $temp->add(new admin_setting_configtext('calendar_lookahead',get_string('configlookahead','admin'),get_string('helpupcominglookahead', 'admin'),21,PARAM_INT));
     $temp->add(new admin_setting_configtext('calendar_maxevents',get_string('configmaxevents','admin'),get_string('helpupcomingmaxevents', 'admin'),10,PARAM_INT));
     $temp->add(new admin_setting_configcheckbox('enablecalendarexport', get_string('enablecalendarexport', 'admin'), get_string('configenablecalendarexport','admin'), 1));
+    $temp->add(new admin_setting_configtext('calendar_exportsalt', get_string('calendarexportsalt','admin'), get_string('configcalendarexportsalt', 'admin'), random_string(40)));
     $ADMIN->add('appearance', $temp);
 
     // "htmleditor" settingpage

diff --git a/calendar/export.php b/calendar/export.php
@@ -83,7 +83,7 @@
 
 $username = $USER->username;
 $usernameencoded = urlencode($USER->username);
-$authtoken = sha1($USER->username . $USER->password);
+$authtoken = sha1($USER->username . $USER->password . $CFG->calendar_exportsalt);
 
 switch($action) {
     case 'advanced':

diff --git a/calendar/export_execute.php b/calendar/export_execute.php
@@ -19,7 +19,7 @@
 }
 
 //Check authentication token
-if ($authtoken != sha1($username . $user->password)) {
+if ($authtoken != sha1($username . $user->password . $CFG->calendar_exportsalt)) {
     die('Invalid authentication token');
 }
 

diff --git a/calendar/view.php b/calendar/view.php
@@ -169,7 +169,7 @@
         print_single_button('export.php', array('course'=>$courseid), get_string('exportcalendar', 'calendar'));
 
         if (!empty($USER->id)) {
-            $authtoken = sha1($USER->username . $USER->password);
+            $authtoken = sha1($USER->username . $USER->password . $CFG->calendar_exportsalt);
             $usernameencoded = urlencode($USER->username);
 
             echo "<a href=\"export_execute.php?preset_what=all&amp;preset_time=recentupcoming&amp;username=$usernameencoded&amp;authtoken=$authtoken\">"

diff --git a/lang/en_utf8/admin.php b/lang/en_utf8/admin.php
@@ -42,6 +42,7 @@
 $string['cachetext'] = 'Text cache lifetime';
 $string['cachetype'] = 'Cache Type';
 $string['calendar_weekend'] = 'Weekend Days';
+$string['calendarexportsalt'] = 'Calendar export salt';
 $string['calendarsettings'] = 'Calendar';
 $string['cannotdeletemissingqtype'] = 'You cannot delete the missing question type. It is needed by the system.';
 $string['cannotdeleteqtypeinuse'] = 'You cannot delete the question type \'$a\'. There are questions of this type in the question bank.';
@@ -81,6 +82,7 @@
 $string['configbloglevel'] = 'This setting allows you to restrict the level to which user blogs can be viewed on this site.  Note that they specify the maximum context of the VIEWER not the poster or the types of blog posts.  Blogs can also be disabled completely if you don\'t want them at all.';
 $string['configcachetext'] = 'For larger sites or sites that use text filters, this setting can really speed things up.  Copies of texts will be retained in their processed form for the time specified here.  Setting this too small may actually slow things down slightly,  but setting it too large may mean texts take too long to refresh (with new links, for example).';
 $string['configcachetype'] = 'Select a type of cache for Moodle to use. This will only configure the cache, remember to enable rcache so that the cache is used for something. Use <strong>only</strong> if you need to reduce the load on the database system -- otherwise Moodle will actually run slower. Medium-traffic sites may see benefits using \'internal\'. A single webserver with eAccelerator or Turckmmcache installed <em>with the shared memory options enabled</em> should try \'eaccelerator\'. If you have a multiple-server setup, and you have one or more memcached daemons running and the PHP-memcached extension, select \'memcached\' and configure the memached options below. <br /><strong>Note:</strong> make sure you test performance under load and tune accordingly -- the caches can make your site slower. In high-traffic situations, eAccelerator and memcached can yield the most benefits, but have the higher costs in CPU usage on the webserver.';
+$string['configcalendarexportsalt'] = 'This random text is used for improving of security of authentication tokens used for exporting of calendars. Please note that all current tokens are invalidated if you change this hash salt.';
 $string['configclamactlikevirus'] = 'Treat files like viruses';
 $string['configclamdonothing'] = 'Treat files as OK';
 $string['configclamfailureonupload'] = 'If you have configured clam to scan uploaded files, but it is configured incorrectly or fails to run for some unknown reason, how should it behave?  If you choose \'Treat files like viruses\', they\'ll be moved into the quarantine area, or deleted. If you choose \'Treat files as OK\', the files will be moved to the destination directory like normal. Either way, admins will be alerted that clam has failed.  If you choose \'Treat files like viruses\' and for some reason clam fails to run (usually because you have entered an invalid pathtoclam), ALL files that are uploaded will be moved to the given quarantine area, or deleted. Be careful with this setting.';