r76391 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r76390‎ | r76391 | r76392 >
Date:16:51, 9 November 2010
Author:demon
Status:resolved (Comments)
Tags:
Comment:
Followup r75392. Per IRC, we should generate a default $wgUpgradeKey (took a semi-random part of an md5()'d $wgSecretKey) to hopefully encourage people from setting it to things like "abc." Leave it commented, so default behavior is still to keep the installer disabled
Modified paths:
  • /trunk/phase3/includes/installer/CoreInstaller.php (modified) (history)
  • /trunk/phase3/includes/installer/Installer.i18n.php (modified) (history)
  • /trunk/phase3/includes/installer/LocalSettingsGenerator.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/installer/LocalSettingsGenerator.php
@@ -45,7 +45,7 @@
4646 'wgDBtype', 'wgSecretKey', 'wgRightsUrl', 'wgSitename', 'wgRightsIcon',
4747 'wgRightsText', 'wgRightsCode', 'wgMainCacheType', 'wgEnableUploads',
4848 'wgMainCacheType', '_MemCachedServers', 'wgDBserver', 'wgDBuser',
49 - 'wgDBpassword', 'wgUseInstantCommons'
 49+ 'wgDBpassword', 'wgUseInstantCommons', 'wgUpgradeKey'
5050 ),
5151 $db->getGlobalNames()
5252 );
@@ -291,6 +291,10 @@
292292
293293 \$wgSecretKey = \"{$this->values['wgSecretKey']}\";
294294
 295+# Site upgrade key. Must be set to a string (default provided) to turn on the
 296+# web installer while LocalSettings.php is in place
 297+#\$wgUpgradeKey = \"{$this->values['wgUpgradeKey']}\";
 298+
295299 ## Default skin: you can change the default skin. Use the internal symbolic
296300 ## names, ie 'standard', 'nostalgia', 'cologneblue', 'monobook', 'vector':
297301 \$wgDefaultSkin = 'vector';
Index: trunk/phase3/includes/installer/CoreInstaller.php
@@ -48,6 +48,7 @@
4949 'wgShellLocale',
5050 'wgSecretKey',
5151 'wgUseInstantCommons',
 52+ 'wgUpgradeKey',
5253 );
5354
5455 /**
@@ -307,6 +308,7 @@
308309 array( 'name' => 'tables', 'callback' => array( $this, 'installTables' ) ),
309310 array( 'name' => 'interwiki', 'callback' => array( $installer, 'populateInterwikiTable' ) ),
310311 array( 'name' => 'secretkey', 'callback' => array( $this, 'generateSecretKey' ) ),
 312+ array( 'name' => 'upgradekey', 'callback' => array( $this, 'generateUpgradeKey' ) ),
311313 array( 'name' => 'sysop', 'callback' => array( $this, 'createSysop' ) ),
312314 array( 'name' => 'mainpage', 'callback' => array( $this, 'createMainpage' ) ),
313315 );
@@ -397,6 +399,19 @@
398400 }
399401
400402 /**
 403+ * Generate a default $wgUpradeKey, using a semi-random 8 character portion
 404+ * of md5($wgSecretKey)
 405+ *
 406+ * @return Status
 407+ */
 408+ protected function generateUpgradeKey() {
 409+ $secret = md5( $this->getVar( 'wgSecretKey' ) );
 410+ $randPos = mt_rand( 0, strlen( $secret ) - 8 );
 411+ $this->setVar( 'wgUpgradeKey', substr( $secret, $randPos, $randPos + 8 ) );
 412+ return Status::newGood();
 413+ }
 414+
 415+ /**
401416 * Create the first user account, grant it sysop and bureaucrat rights
402417 *
403418 * @return Status
Index: trunk/phase3/includes/installer/Installer.i18n.php
@@ -474,6 +474,7 @@
475475 'config-install-secretkey' => 'Generating secret key',
476476 'config-insecure-secretkey' => "'''Warning:''' Unable to create secure <code>\$wgSecretKey</code>.
477477 Consider changing it manually.",
 478+ 'config-install-upgradekey' => 'Generating default upgrade key',
478479 'config-install-sysop' => 'Creating administrator user account',
479480 'config-install-mainpage' => 'Creating main page with default content',
480481 'config-install-mainpage-failed' => 'Could not insert main page.',

Follow-up revisions

RevisionCommit summaryAuthorDate
r76393Followup r76391 per CR: just do $wgUpgradeKey in generateSecretKey()demon17:01, 9 November 2010
r76394Followup r76391, r76393, rm unused msgdemon17:02, 9 November 2010
r76806Revert r76393 and make $wgUpgradeKey like $wgSecretKey. Followup for r76391platonides16:16, 16 November 2010

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r75392(bug 198: Easy, secure in-place upgrade) Introduce new $wgUpgradeKey. When se...demon23:18, 25 October 2010

Comments

#Comment by Platonides (talk | contribs)   16:56, 9 November 2010

I think it should be created in installSecretKey(), but without warning and saving in $wgUpgradeKey.

#Comment by 😂 (talk | contribs)   17:02, 9 November 2010

Like that?

Status & tagging log