AS1024/itflow
1
0
Fork 0
mirror of https://github.com/itflow-org/itflow synced 2026-03-01 11:24:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #579 from wrongecho/crypto

Browse Source 
Crypto changes - replace bin2hex
This commit is contained in:
Johnny
2023-01-26 16:58:31 -05:00
committed by GitHub
parent bdc71d3163 2570bdc6af
commit b742a71c57
11 changed files with 57 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ajax.php
View File

@@ -230,7 +230,7 @@ if (isset($_GET['share_generate_link'])) {
$item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note']))); $item_note = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['note'])));
$item_view_limit = intval($_GET['views']); $item_view_limit = intval($_GET['views']);
$item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires']))); $item_expires = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['expires'])));
$item_key = bin2hex(random_bytes(78)); $item_key = randomString(156);
if ($item_type == "Document") { if ($item_type == "Document") {
$row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1")); $row = mysqli_fetch_array(mysqli_query($mysqli, "SELECT document_name FROM documents WHERE document_id = '$item_id' AND document_client_id = '$client_id' LIMIT 1"));
@@ -250,8 +250,8 @@ if (isset($_GET['share_generate_link'])) {
// Decrypt & re-encrypt password for sharing // Decrypt & re-encrypt password for sharing
$login_password_cleartext = decryptLoginEntry($row['login_password']); $login_password_cleartext = decryptLoginEntry($row['login_password']);
$login_encryption_key = bin2hex(random_bytes(8)); $login_encryption_key = randomString();
$iv = bin2hex(random_bytes(8)); $iv = randomString();
$ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv); $ciphertext = openssl_encrypt($login_password_cleartext, 'aes-128-cbc', $login_encryption_key, 0, $iv);
$item_encrypted_credential = $iv . $ciphertext; $item_encrypted_credential = $iv . $ciphertext;

2
api_key_add_modal.php
View File

@@ -1,5 +1,5 @@
<?php <?php
$key = bin2hex(random_bytes(78)); $key = randomString(156);
?> ?>
<div class="modal" id="addApiKeyModal" tabindex="-1"> <div class="modal" id="addApiKeyModal" tabindex="-1">
<div class="modal-dialog"> <div class="modal-dialog">

3
blank.php
View File

@@ -16,9 +16,8 @@
<?php echo CURRENT_DATABASE_VERSION; ?> <?php echo CURRENT_DATABASE_VERSION; ?>
<br> <br>
<?php echo bin2hex(random_bytes(8)); ?> <?php echo randomString(); ?>
<br> <br>
<?php echo keygen(); ?>
<script>toastr.success('Have Fun Wozz!!')</script> <script>toastr.success('Have Fun Wozz!!')</script>

2
client_logins.php
View File

@@ -157,7 +157,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
} }
function generatePassword() { function generatePassword() {
document.getElementById("password").value = "<?php echo bin2hex(random_bytes(8)); ?>" document.getElementById("password").value = "<?php echo randomString(); ?>"
} }
</script> </script>

4
cron.php
View File

@@ -325,7 +325,7 @@ while($row = mysqli_fetch_array($sql_companies)){
mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $company_id"); mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $company_id");
//Generate a unique URL key for clients to access //Generate a unique URL key for clients to access
$url_key = bin2hex(random_bytes(78)); $url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $new_invoice_number, invoice_scope = '$recurring_scope', invoice_date = CURDATE(), invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), invoice_amount = '$recurring_amount', invoice_currency_code = '$recurring_currency_code', invoice_note = '$recurring_note', invoice_category_id = $category_id, invoice_status = 'Sent', invoice_url_key = '$url_key', invoice_created_at = NOW(), invoice_client_id = $client_id, company_id = $company_id"); mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $new_invoice_number, invoice_scope = '$recurring_scope', invoice_date = CURDATE(), invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), invoice_amount = '$recurring_amount', invoice_currency_code = '$recurring_currency_code', invoice_note = '$recurring_note', invoice_category_id = $category_id, invoice_status = 'Sent', invoice_url_key = '$url_key', invoice_created_at = NOW(), invoice_client_id = $client_id, company_id = $company_id");
@@ -408,4 +408,4 @@ while($row = mysqli_fetch_array($sql_companies)){
} //End Company Loop through } //End Company Loop through
?> ?>

68
functions.php
View File

@@ -11,22 +11,25 @@ require_once("plugins/PHPMailer/src/SMTP.php");
use PHPMailer\PHPMailer\PHPMailer; use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception; use PHPMailer\PHPMailer\Exception;
function keygen() // Function to generate both crypto & URL safe random strings
function randomString($length = 16)
{ {
$chars = "abcdefghijklmnopqrstuvwxyz"; // Generate some cryptographically safe random bytes
$chars .= "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; // Generate a little more than requested as we'll lose some later converting
$chars .= "0123456789"; $random_bytes = random_bytes($length + 5);
while (1) {
$key = ''; // Convert the bytes to something somewhat human-readable
srand((double) microtime() * 1000000); $random_base_64 = base64_encode($random_bytes);
for ($i = 0; $i < 16; $i++) {
$key .= substr($chars, (rand() % (strlen($chars))), 1); // Replace the nasty characters that come with base64
} $bad_chars = array("/", "+", "=");
break; $random_string = str_replace($bad_chars, random_int(0, 9), $random_base_64);
}
return $key; // Truncate the string to the requested $length and return
return substr($random_string, 0, $length);
} }
// Older keygen function - only used for TOTP currently
function key32gen() function key32gen()
{ {
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
@@ -72,14 +75,10 @@ function get_ip() {
if (defined("CONST_GET_IP_METHOD")) { if (defined("CONST_GET_IP_METHOD")) {
if (CONST_GET_IP_METHOD == "HTTP_X_FORWARDED_FOR") { if (CONST_GET_IP_METHOD == "HTTP_X_FORWARDED_FOR") {
$ip = getenv('HTTP_X_FORWARDED_FOR'); $ip = getenv('HTTP_X_FORWARDED_FOR');
} } else {
else{
$ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER['REMOTE_ADDR']; $ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER['REMOTE_ADDR'];
} }
} } else {
else{
$ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER['REMOTE_ADDR']; $ip = $_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER['REMOTE_ADDR'];
} }
@@ -226,8 +225,8 @@ function mkdir_missing($dir) {
// Called during initial setup // Called during initial setup
// Encrypts the master key with the user's password // Encrypts the master key with the user's password
function setupFirstUserSpecificKey($user_password, $site_encryption_master_key) { function setupFirstUserSpecificKey($user_password, $site_encryption_master_key) {
$iv = bin2hex(random_bytes(8)); $iv = randomString();
$salt = bin2hex(random_bytes(8)); $salt = randomString();
//Generate 128-bit (16 byte/char) kdhash of the users password //Generate 128-bit (16 byte/char) kdhash of the users password
$user_password_kdhash = hash_pbkdf2('sha256', $user_password, $salt, 100000, 16); $user_password_kdhash = hash_pbkdf2('sha256', $user_password, $salt, 100000, 16);
@@ -243,9 +242,10 @@ function setupFirstUserSpecificKey($user_password, $site_encryption_master_key)
* New Users: Requires the admin setting up their account have a Specific/Session key configured * New Users: Requires the admin setting up their account have a Specific/Session key configured
* Password Changes: Will use the current info in the session. * Password Changes: Will use the current info in the session.
*/ */
function encryptUserSpecificKey($user_password) { function encryptUserSpecificKey($user_password)
$iv = bin2hex(random_bytes(8)); {
$salt = bin2hex(random_bytes(8)); $iv = randomString();
$salt = randomString();
// Get the session info. // Get the session info.
$user_encryption_session_ciphertext = $_SESSION['user_encryption_session_ciphertext']; $user_encryption_session_ciphertext = $_SESSION['user_encryption_session_ciphertext'];
@@ -267,7 +267,8 @@ function encryptUserSpecificKey($user_password) {
// Given a ciphertext (incl. IV) and the user's password, returns the site master key // Given a ciphertext (incl. IV) and the user's password, returns the site master key
// Ran at login, to facilitate generateUserSessionKey // Ran at login, to facilitate generateUserSessionKey
function decryptUserSpecificKey($user_encryption_ciphertext, $user_password) { function decryptUserSpecificKey($user_encryption_ciphertext, $user_password)
{
//Get the IV, salt and ciphertext //Get the IV, salt and ciphertext
$salt = substr($user_encryption_ciphertext, 0, 16); $salt = substr($user_encryption_ciphertext, 0, 16);
$iv = substr($user_encryption_ciphertext, 16, 16); $iv = substr($user_encryption_ciphertext, 16, 16);
@@ -287,11 +288,10 @@ Generates what is probably best described as a session key (ephemeral-ish)
- Only the user can decrypt their session ciphertext to get the master key - Only the user can decrypt their session ciphertext to get the master key
- Encryption key never hits the disk in cleartext - Encryption key never hits the disk in cleartext
*/ */
function generateUserSessionKey($site_encryption_master_key) { function generateUserSessionKey($site_encryption_master_key)
{
// Generate both of these using bin2hex(random_bytes(8)) $user_encryption_session_key = randomString();
$user_encryption_session_key = bin2hex(random_bytes(8)); $user_encryption_session_iv = randomString();
$user_encryption_session_iv = bin2hex(random_bytes(8));
$user_encryption_session_ciphertext = openssl_encrypt($site_encryption_master_key, 'aes-128-cbc', $user_encryption_session_key, 0, $user_encryption_session_iv); $user_encryption_session_ciphertext = openssl_encrypt($site_encryption_master_key, 'aes-128-cbc', $user_encryption_session_key, 0, $user_encryption_session_iv);
// Store ciphertext in the user's session // Store ciphertext in the user's session
@@ -309,7 +309,8 @@ function generateUserSessionKey($site_encryption_master_key) {
} }
// Decrypts an encrypted password (website/asset login), returns it as a string // Decrypts an encrypted password (website/asset login), returns it as a string
function decryptLoginEntry($login_password_ciphertext) { function decryptLoginEntry($login_password_ciphertext)
{
// Split the login into IV and Ciphertext // Split the login into IV and Ciphertext
$login_iv = substr($login_password_ciphertext, 0, 16); $login_iv = substr($login_password_ciphertext, 0, 16);
@@ -329,8 +330,9 @@ function decryptLoginEntry($login_password_ciphertext) {
} }
// Encrypts a website/asset login password // Encrypts a website/asset login password
function encryptLoginEntry($login_password_cleartext) { function encryptLoginEntry($login_password_cleartext)
$iv = bin2hex(random_bytes(8)); {
$iv = randomString();
// Get the user session info. // Get the user session info.
$user_encryption_session_ciphertext = $_SESSION['user_encryption_session_ciphertext']; $user_encryption_session_ciphertext = $_SESSION['user_encryption_session_ciphertext'];

2
login.php
View File

@@ -117,7 +117,7 @@ if (isset($_POST['login'])) {
$_SESSION['user_id'] = $user_id; $_SESSION['user_id'] = $user_id;
$_SESSION['user_name'] = $user_name; $_SESSION['user_name'] = $user_name;
$_SESSION['user_role'] = $row['user_role']; $_SESSION['user_role'] = $row['user_role'];
$_SESSION['csrf_token'] = bin2hex(random_bytes(78)); $_SESSION['csrf_token'] = randomString(156);
$_SESSION['logged'] = TRUE; $_SESSION['logged'] = TRUE;
// Setup encryption session key // Setup encryption session key

2
portal/login_reset.php
View File

@@ -51,7 +51,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
$company = $row['company_id']; $company = $row['company_id'];
if ($row['contact_email'] == $email) { if ($row['contact_email'] == $email) {
$token = bin2hex(random_bytes(78)); $token = randomString(156);
$url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client"; $url = "https://$config_base_url/portal/login_reset.php?email=$email&token=$token&client=$client";
mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1"); mysqli_query($mysqli, "UPDATE contacts SET contact_password_reset_token = '$token' WHERE contact_id = $id LIMIT 1");
mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company"); mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'Contact', log_action = 'Modify', log_description = 'Sent a portal password reset e-mail for $email.', log_ip = '$ip', log_user_agent = '$user_agent', log_created_at = NOW(), log_client_id = $client, company_id = $company");

20
post.php
View File

@@ -373,7 +373,7 @@ if(isset($_POST['edit_profile'])){
// Enable extension access, only if it isn't already setup (user doesn't have cookie) // Enable extension access, only if it isn't already setup (user doesn't have cookie)
if(isset($_POST['extension']) && $_POST['extension'] == 'Yes'){ if(isset($_POST['extension']) && $_POST['extension'] == 'Yes'){
if(!isset($_COOKIE['user_extension_key'])){ if(!isset($_COOKIE['user_extension_key'])){
$extension_key = bin2hex(random_bytes(78)); $extension_key = randomString(156);
mysqli_query($mysqli, "UPDATE users SET user_extension_key = '$extension_key' WHERE user_id = $user_id"); mysqli_query($mysqli, "UPDATE users SET user_extension_key = '$extension_key' WHERE user_id = $user_id");
$extended_log_description .= ", extension access enabled"; $extended_log_description .= ", extension access enabled";
@@ -437,7 +437,7 @@ if(isset($_GET['archive_user'])){
// Variables from GET // Variables from GET
$user_id = intval($_GET['archive_user']); $user_id = intval($_GET['archive_user']);
$password = password_hash(bin2hex(random_bytes(16)), PASSWORD_DEFAULT); $password = password_hash(randomString(), PASSWORD_DEFAULT);
// Get user details // Get user details
$sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_id = $user_id"); $sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_id = $user_id");
@@ -2878,7 +2878,7 @@ if(isset($_POST['add_invoice'])){
mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $session_company_id"); mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $session_company_id");
//Generate a unique URL key for clients to access //Generate a unique URL key for clients to access
$url_key = bin2hex(random_bytes(78)); $url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$scope', invoice_date = '$date', invoice_due = DATE_ADD('$date', INTERVAL $client_net_terms day), invoice_currency_code = '$session_company_currency', invoice_category_id = $category, invoice_status = 'Draft', invoice_url_key = '$url_key', invoice_client_id = $client, company_id = $session_company_id"); mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$scope', invoice_date = '$date', invoice_due = DATE_ADD('$date', INTERVAL $client_net_terms day), invoice_currency_code = '$session_company_currency', invoice_category_id = $category, invoice_status = 'Draft', invoice_url_key = '$url_key', invoice_client_id = $client, company_id = $session_company_id");
$invoice_id = mysqli_insert_id($mysqli); $invoice_id = mysqli_insert_id($mysqli);
@@ -2936,7 +2936,7 @@ if(isset($_POST['add_invoice_copy'])){
$category_id = $row['invoice_category_id']; $category_id = $row['invoice_category_id'];
//Generate a unique URL key for clients to access //Generate a unique URL key for clients to access
$url_key = bin2hex(random_bytes(78)); $url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$invoice_scope', invoice_date = '$date', invoice_due = DATE_ADD('$date', INTERVAL $client_net_terms day), invoice_category_id = $category_id, invoice_status = 'Draft', invoice_amount = '$invoice_amount', invoice_currency_code = '$invoice_currency_code', invoice_note = '$invoice_note', invoice_url_key = '$url_key', invoice_client_id = $client_id, company_id = $session_company_id") or die(mysql_error()); mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$invoice_scope', invoice_date = '$date', invoice_due = DATE_ADD('$date', INTERVAL $client_net_terms day), invoice_category_id = $category_id, invoice_status = 'Draft', invoice_amount = '$invoice_amount', invoice_currency_code = '$invoice_currency_code', invoice_note = '$invoice_note', invoice_url_key = '$url_key', invoice_client_id = $client_id, company_id = $session_company_id") or die(mysql_error());
@@ -3031,7 +3031,7 @@ if(isset($_POST['add_quote'])){
mysqli_query($mysqli,"UPDATE settings SET config_quote_next_number = $new_config_quote_next_number WHERE company_id = $session_company_id"); mysqli_query($mysqli,"UPDATE settings SET config_quote_next_number = $new_config_quote_next_number WHERE company_id = $session_company_id");
//Generate a unique URL key for clients to access //Generate a unique URL key for clients to access
$quote_url_key = bin2hex(random_bytes(78)); $quote_url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO quotes SET quote_prefix = '$config_quote_prefix', quote_number = $quote_number, quote_scope = '$scope', quote_date = '$date', quote_currency_code = '$session_company_currency', quote_category_id = $category, quote_status = 'Draft', quote_url_key = '$quote_url_key', quote_client_id = $client, company_id = $session_company_id"); mysqli_query($mysqli,"INSERT INTO quotes SET quote_prefix = '$config_quote_prefix', quote_number = $quote_number, quote_scope = '$scope', quote_date = '$date', quote_currency_code = '$session_company_currency', quote_category_id = $category, quote_status = 'Draft', quote_url_key = '$quote_url_key', quote_client_id = $client, company_id = $session_company_id");
@@ -3068,7 +3068,7 @@ if(isset($_POST['add_quote_copy'])){
$category_id = $row['quote_category_id']; $category_id = $row['quote_category_id'];
//Generate a unique URL key for clients to access //Generate a unique URL key for clients to access
$quote_url_key = bin2hex(random_bytes(78)); $quote_url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO quotes SET quote_prefix = '$config_quote_prefix', quote_number = $quote_number, quote_scope = '$quote_scope', quote_date = '$date', quote_category_id = $category_id, quote_status = 'Draft', quote_amount = '$quote_amount', quote_currency_code = '$quote_currency_code', quote_note = '$quote_note', quote_url_key = '$quote_url_key', quote_client_id = $client_id, company_id = $session_company_id"); mysqli_query($mysqli,"INSERT INTO quotes SET quote_prefix = '$config_quote_prefix', quote_number = $quote_number, quote_scope = '$quote_scope', quote_date = '$date', quote_category_id = $category_id, quote_status = 'Draft', quote_amount = '$quote_amount', quote_currency_code = '$quote_currency_code', quote_note = '$quote_note', quote_url_key = '$quote_url_key', quote_client_id = $client_id, company_id = $session_company_id");
@@ -3121,7 +3121,7 @@ if(isset($_POST['add_quote_to_invoice'])){
$category_id = $row['quote_category_id']; $category_id = $row['quote_category_id'];
//Generate a unique URL key for clients to access //Generate a unique URL key for clients to access
$url_key = bin2hex(random_bytes(78)); $url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$quote_scope', invoice_date = '$date', invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), invoice_category_id = $category_id, invoice_status = 'Draft', invoice_amount = '$quote_amount', invoice_currency_code = '$quote_currency_code', invoice_note = '$quote_note', invoice_url_key = '$url_key', invoice_client_id = $client_id, company_id = $session_company_id"); mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$quote_scope', invoice_date = '$date', invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), invoice_category_id = $category_id, invoice_status = 'Draft', invoice_amount = '$quote_amount', invoice_currency_code = '$quote_currency_code', invoice_note = '$quote_note', invoice_url_key = '$url_key', invoice_client_id = $client_id, company_id = $session_company_id");
@@ -4126,7 +4126,7 @@ if(isset($_POST['add_contact'])){
$contact_technical = intval($_POST['contact_technical']); $contact_technical = intval($_POST['contact_technical']);
$location_id = intval($_POST['location']); $location_id = intval($_POST['location']);
$auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['auth_method']))); $auth_method = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['auth_method'])));
$password = password_hash(bin2hex(random_bytes(16)), PASSWORD_DEFAULT); $password = password_hash(randomString(), PASSWORD_DEFAULT);
if(!file_exists("uploads/clients/$session_company_id/$client_id")) { if(!file_exists("uploads/clients/$session_company_id/$client_id")) {
@@ -6736,7 +6736,7 @@ if(isset($_POST['add_invoice_from_ticket'])){
mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $session_company_id"); mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $session_company_id");
//Generate a unique URL key for clients to access //Generate a unique URL key for clients to access
$url_key = bin2hex(random_bytes(78)); $url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$scope', invoice_date = '$date', invoice_due = DATE_ADD('$date', INTERVAL $client_net_terms day), invoice_currency_code = '$session_company_currency', invoice_category_id = $category, invoice_status = 'Draft', invoice_url_key = '$url_key', invoice_client_id = $client_id, company_id = $session_company_id"); mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = $invoice_number, invoice_scope = '$scope', invoice_date = '$date', invoice_due = DATE_ADD('$date', INTERVAL $client_net_terms day), invoice_currency_code = '$session_company_currency', invoice_category_id = $category, invoice_status = 'Draft', invoice_url_key = '$url_key', invoice_client_id = $client_id, company_id = $session_company_id");
$invoice_id = mysqli_insert_id($mysqli); $invoice_id = mysqli_insert_id($mysqli);
@@ -7446,7 +7446,7 @@ if(isset($_GET['force_recurring'])){
mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $session_company_id"); mysqli_query($mysqli,"UPDATE settings SET config_invoice_next_number = $new_config_invoice_next_number WHERE company_id = $session_company_id");
//Generate a unique URL key for clients to access //Generate a unique URL key for clients to access
$url_key = bin2hex(random_bytes(78)); $url_key = randomString(156);
mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = '$new_invoice_number', invoice_scope = '$recurring_scope', invoice_date = CURDATE(), invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), invoice_amount = '$recurring_amount', invoice_currency_code = '$recurring_currency_code', invoice_note = '$recurring_note', invoice_category_id = $category_id, invoice_status = 'Sent', invoice_url_key = '$url_key', invoice_client_id = $client_id, company_id = $session_company_id"); mysqli_query($mysqli,"INSERT INTO invoices SET invoice_prefix = '$config_invoice_prefix', invoice_number = '$new_invoice_number', invoice_scope = '$recurring_scope', invoice_date = CURDATE(), invoice_due = DATE_ADD(CURDATE(), INTERVAL $client_net_terms day), invoice_amount = '$recurring_amount', invoice_currency_code = '$recurring_currency_code', invoice_note = '$recurring_note', invoice_category_id = $category_id, invoice_status = 'Sent', invoice_url_key = '$url_key', invoice_client_id = $client_id, company_id = $session_company_id");

2
setup.php
View File

@@ -848,7 +848,7 @@ if (isset($_POST['add_user'])) {
$password = password_hash($_POST['password'], PASSWORD_DEFAULT); $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
//Generate master encryption key //Generate master encryption key
$site_encryption_master_key = bin2hex(random_bytes(8)); $site_encryption_master_key = randomString();
//Generate user specific key //Generate user specific key
$user_specific_encryption_ciphertext = setupFirstUserSpecificKey($_POST['password'], $site_encryption_master_key); $user_specific_encryption_ciphertext = setupFirstUserSpecificKey($_POST['password'], $site_encryption_master_key);

2
users.php
View File

@@ -170,7 +170,7 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
</div> </div>
<script> <script>
function generatePassword() { function generatePassword() {
document.getElementById("password").value = "<?php echo keygen() ?>" document.getElementById("password").value = "<?php echo randomString() ?>"
} }
</script> </script>