Merge pull request #747 from gburton/1.0.0.4

1.0.0.4

.htaccess

@@ -35,7 +35,6 @@
 # servers)
 
 # php_value session.use_trans_sid 0
-# php_value register_globals 1
 
 <IfModule mod_headers.c>
   Header unset ETag

admin/.htaccess

@@ -35,4 +35,3 @@
 # servers)
 
 # php_value session.use_trans_sid 0
-# php_value register_globals 1

admin/includes/application_top.php

@@ -15,16 +15,11 @@
 
 // Set the level of error reporting
   error_reporting(E_ALL & ~E_NOTICE);
-  
+
   if (defined('E_DEPRECATED')) {
     error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED);
   }
 
-// check support for register_globals
-  if (function_exists('ini_get') && (ini_get('register_globals') == false) && (PHP_VERSION < 4.3) ) {
-    exit('Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory. Please use PHP 4.3+ if register_globals cannot be enabled on the server.');
-  }
-
 // load server configuration parameters
   if (file_exists('includes/local/configure.php')) { // for developers
     include('includes/local/configure.php');
@@ -88,22 +83,15 @@
   tep_session_save_path(SESSION_WRITE_DIRECTORY);
 
 // set the session cookie parameters
-   if (function_exists('session_set_cookie_params')) {
-    session_set_cookie_params(0, $cookie_path, $cookie_domain);
-  } elseif (function_exists('ini_set')) {
-    ini_set('session.cookie_lifetime', '0');
-    ini_set('session.cookie_path', $cookie_path);
-    ini_set('session.cookie_domain', $cookie_domain);
-  }
+  session_set_cookie_params(0, $cookie_path, $cookie_domain);
 
   @ini_set('session.use_only_cookies', (SESSION_FORCE_COOKIE_USE == 'True') ? 1 : 0);
 
 // lets start our session
   tep_session_start();
 
-  if ( (PHP_VERSION >= 4.3) && function_exists('ini_get') && (ini_get('register_globals') == false) ) {
-    extract($_SESSION, EXTR_OVERWRITE+EXTR_REFS);
-  }
+  // force register_globals
+  extract($_SESSION, EXTR_OVERWRITE+EXTR_REFS);
 
 // set the language
   if (!tep_session_is_registered('language') || isset($_GET['language'])) {
@@ -233,10 +221,10 @@
                         array('title' => TEXT_CACHE_MANUFACTURERS, 'code' => 'manufacturers', 'file' => 'manufacturers_box-language.cache', 'multiple' => true),
                         array('title' => TEXT_CACHE_ALSO_PURCHASED, 'code' => 'also_purchased', 'file' => 'also_purchased-language.cache', 'multiple' => true)
                        );
-                       
+
   require(DIR_FS_CATALOG . 'includes/classes/hooks.php');
   $OSCOM_Hooks = new hooks('admin');
-  
+
   $OSCOM_Hooks->register('siteWide');
 
   $OSCOM_Hooks->register(basename($PHP_SELF, '.php'));

admin/includes/classes/email.php

@@ -514,12 +514,8 @@ function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $header
 
       $headers = array_merge($this->headers, array('From: ' . $from), $headers, $xtra_headers);
 
-      $additional_parameters = '';
+      $additional_parameters = '-f' . $from_addr;
 
-      if ((PHP_VERSION > '5.3') || ((bool)ini_get('safe_mode') === false)) {
-        $additional_parameters = '-f' . $from_addr;
-      }
-
       return mail($to, $subject, $this->output, implode($this->lf, $headers), $additional_parameters);
     }
 

admin/includes/classes/passwordhash.php

@@ -2,11 +2,10 @@
 #
 # Portable PHP password hashing framework.
 #
-# Version 0.3 / genuine.
-# Version 0.3 / osCommerce:
-#   * Silenced @is_readable('/dev/urandom'))
+# Version 0.5 / genuine.
+# Version 0.5 / osCommerce:
 #   * Added stream_set_read_buffer() when reading from /dev/urandom
-#   * Added openssl_random_pseudo_bytes() and mcrypt_create_iv() to
+#   * Added openssl_random_pseudo_bytes() and random_bytes() to
 #     get_random_bytes()
 #
 # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
@@ -53,7 +52,9 @@ function __construct($iteration_count_log2, $portable_hashes)
 	function get_random_bytes($count)
 	{
 		$output = '';
-		if (@is_readable('/dev/urandom') &&
+		if (is_callable('random_bytes')) {
+			$output = random_bytes($count);
+		} elseif (@is_readable('/dev/urandom') &&
 		    ($fh = @fopen('/dev/urandom', 'rb'))) {
 			if (function_exists('stream_set_read_buffer')) {
 				stream_set_read_buffer($fh, 0);
@@ -66,17 +67,14 @@ function get_random_bytes($count)
 			if ( $orpb_secure != true ) {
 				$output = '';
 			}
-		} elseif (defined('MCRYPT_DEV_URANDOM')) {
-			$output = mcrypt_create_iv($count, MCRYPT_DEV_URANDOM);
 		}
 
 		if (strlen($output) < $count) {
 			$output = '';
 			for ($i = 0; $i < $count; $i += 16) {
 				$this->random_state =
 				    md5(microtime() . $this->random_state);
-				$output .=
-				    pack('H*', md5($this->random_state));
+				$output .= md5($this->random_state, TRUE);
 			}
 			$output = substr($output, 0, $count);
 		}
@@ -120,12 +118,12 @@ function gensalt_private($input)
 	function crypt_private($password, $setting)
 	{
 		$output = '*0';
-		if (substr($setting, 0, 2) == $output)
+		if (substr($setting, 0, 2) === $output)
 			$output = '*1';
 
 		$id = substr($setting, 0, 3);
 		# We use "$P$", phpBB3 uses "$H$" for the same thing
-		if ($id != '$P$' && $id != '$H$')
+		if ($id !== '$P$' && $id !== '$H$')
 			return $output;
 
 		$count_log2 = strpos($this->itoa64, $setting[3]);
@@ -135,51 +133,26 @@ function crypt_private($password, $setting)
 		$count = 1 << $count_log2;
 
 		$salt = substr($setting, 4, 8);
-		if (strlen($salt) != 8)
+		if (strlen($salt) !== 8)
 			return $output;
 
-		# We're kind of forced to use MD5 here since it's the only
-		# cryptographic primitive available in all versions of PHP
-		# currently in use.  To implement our own low-level crypto
-		# in PHP would result in much worse performance and
+		# We were kind of forced to use MD5 here since it's the only
+		# cryptographic primitive that was available in all versions
+		# of PHP in use.  To implement our own low-level crypto in PHP
+		# would have resulted in much worse performance and
 		# consequently in lower iteration counts and hashes that are
 		# quicker to crack (by non-PHP code).
-		if (PHP_VERSION >= '5') {
-			$hash = md5($salt . $password, TRUE);
-			do {
-				$hash = md5($hash . $password, TRUE);
-			} while (--$count);
-		} else {
-			$hash = pack('H*', md5($salt . $password));
-			do {
-				$hash = pack('H*', md5($hash . $password));
-			} while (--$count);
-		}
+		$hash = md5($salt . $password, TRUE);
+		do {
+			$hash = md5($hash . $password, TRUE);
+		} while (--$count);
 
 		$output = substr($setting, 0, 12);
 		$output .= $this->encode64($hash, 16);
 
 		return $output;
 	}
 
-	function gensalt_extended($input)
-	{
-		$count_log2 = min($this->iteration_count_log2 + 8, 24);
-		# This should be odd to not reveal weak DES keys, and the
-		# maximum valid value is (2**24 - 1) which is odd anyway.
-		$count = (1 << $count_log2) - 1;
-
-		$output = '_';
-		$output .= $this->itoa64[$count & 0x3f];
-		$output .= $this->itoa64[($count >> 6) & 0x3f];
-		$output .= $this->itoa64[($count >> 12) & 0x3f];
-		$output .= $this->itoa64[($count >> 18) & 0x3f];
-
-		$output .= $this->encode64($input, 3);
-
-		return $output;
-	}
-
 	function gensalt_blowfish($input)
 	{
 		# This one needs to use a different order of characters and a
@@ -225,20 +198,11 @@ function HashPassword($password)
 	{
 		$random = '';
 
-		if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
+		if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
 			$random = $this->get_random_bytes(16);
 			$hash =
 			    crypt($password, $this->gensalt_blowfish($random));
-			if (strlen($hash) == 60)
-				return $hash;
-		}
-
-		if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
-			if (strlen($random) < 3)
-				$random = $this->get_random_bytes(3);
-			$hash =
-			    crypt($password, $this->gensalt_extended($random));
-			if (strlen($hash) == 20)
+			if (strlen($hash) === 60)
 				return $hash;
 		}
 
@@ -247,7 +211,7 @@ function HashPassword($password)
 		$hash =
 		    $this->crypt_private($password,
 		    $this->gensalt_private($random));
-		if (strlen($hash) == 34)
+		if (strlen($hash) === 34)
 			return $hash;
 
 		# Returning '*' on error is safe here, but would _not_ be safe
@@ -259,10 +223,14 @@ function HashPassword($password)
 	function CheckPassword($password, $stored_hash)
 	{
 		$hash = $this->crypt_private($password, $stored_hash);
-		if ($hash[0] == '*')
+		if ($hash[0] === '*')
 			$hash = crypt($password, $stored_hash);
 
-		return $hash == $stored_hash;
+		# This is not constant-time.  In order to keep the code simple,
+		# for timing safety we currently rely on the salts being
+		# unpredictable, which they are at least in the non-fallback
+		# cases (that is, when we use /dev/urandom and bcrypt).
+		return $hash === $stored_hash;
 	}
 }