AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

r

This commit is contained in:
Marcus Hill 2022-01-11 18:22:45 +00:00
parent 951b03f712
commit d3d39ca8ad
2 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
post.php
View File

@ -1030,7 +1030,6 @@ if(isset($_GET['update_db'])){
if(isset($_POST['encryption_update'])){
$password = $_POST['password'];
//$session_company_id
//Get user details
$sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_id = '$session_user_id'");
@ -1038,8 +1037,8 @@ if(isset($_POST['encryption_update'])){
//Verify the users password
if(!password_verify($password, $row['user_password'])){
echo "Password incorrect.";
exit();
$_SESSION['alert_message'] = "User password incorrect.";
header("Location: " . $_SERVER["HTTP_REFERER"]);
}
//First, check if this user is setup for the new encryption setup
@ -1049,11 +1048,12 @@ if(isset($_POST['encryption_update'])){
$site_encryption_master_key = decryptUserSpecificKey($user_encryption_ciphertext, $password);
}
else{
echo "Ciphertext data not found, attempting to adding it.";
echo "User ciphertext data not found, attempting to add it.<br>";
$update_table = mysqli_query($mysqli, "ALTER TABLE `users` ADD `user_specific_encryption_ciphertext` VARCHAR(200) NULL AFTER `user_avatar`; ");
if(!$update_table){
echo "Error adding ciphertext column to users table. Either there was a connection/permissions issue or the column already exists due to a upgrade already taking place?<br>";
echo "Error adding ciphertext column (user_specific_encryption_ciphertext) to users table.";
echo "Either there was a connection/permissions issue or the column already exists due to a upgrade already taking place?<br>";
exit();
}
@ -1064,7 +1064,7 @@ if(isset($_POST['encryption_update'])){
echo "New master key is: $site_encryption_master_key <br>";
$user_encryption_ciphertext = setupFirstUserSpecificKey($password, $site_encryption_master_key);
$set_user_specific_key = mysqli_query($mysqli, "UPDATE users SET user_specific_encryption_ciphertext = '$user_encryption_ciphertext' user_id = '$session_user_id'");
$set_user_specific_key = mysqli_query($mysqli, "UPDATE users SET user_specific_encryption_ciphertext = '$user_encryption_ciphertext' WHERE user_id = '$session_user_id'");
if(!$set_user_specific_key){
echo "Something went wrong adding your user specific key.<br>";
exit();
@ -1077,7 +1077,7 @@ if(isset($_POST['encryption_update'])){
//If we don't do this, users won't be able to see the new passwords properly, and could potentially add passwords that can never be decrypted
mysqli_query($mysqli, "UPDATE users SET login_password = 'Invalid due to upgrade'");
$extended_log_description = ", invalidated all user passwords";
echo "Invalidated all user passwords. You must re-set them from this user.<br>";
echo "Invalidated all user passwords. You must re-set them from this user account.<br>";
}
//Either way, if we got here we now have the master key as $site_encryption_master_key
@ -1096,7 +1096,10 @@ if(isset($_POST['encryption_update'])){
//Logging
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Settings', log_action = 'Migrate', log_description = '$session_name upgraded $session_company_id logins to the new encryption scheme$extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_user_id = $session_user_id, company_id = $session_company_id");
echo "Migration for company successful.";
echo "Migration for company successful.<br>";
$_SESSION['alert_message'] = "Migration for company successful.";
echo "<a href='/settings-update.php'>Back to settings.</a>";
}

4
settings-update.php
View File

@ -70,7 +70,7 @@ $git_log = shell_exec("git log master..origin/master --pretty=format:'<tr><td>%h
<center>
<div class="col-8">
<div class="alert alert-danger" role="alert">
<strong>You only need to continue with this action if you are upgrading/migrating to the new encryption setup.</strong>
<strong>You only need to continue with this action if you are upgrading/migrating to the new (post Jan 2022) encryption setup.</strong>
<ul>
<li>Please take a backup of your current AES config key (for each company), and your 'logins' database table</li>
<li>Please ensure you have access to ALL companies registered under this instance, if using multiple companies. Only one user should perform the entire migration.</li>
@ -86,7 +86,7 @@ echo "Current Company ID: $session_company_id <br>";
echo "Current User ID: $session_user_id <br>";
if ($config_aes_key) {
echo "Current AES key: $config_aes_key <br><br>";
echo "Current (legacy) AES key: $config_aes_key <br><br>";
echo "<b>Below are the decrypted credentials for five login entries, please confirm they show and are correct before continuing. <br>Do NOT continue if no entries are shown or if the decrypted passwords are incorrect.</b><br>";
$sql = mysqli_query($mysqli,"SELECT *, AES_DECRYPT(login_password, '$config_aes_key') AS login_password FROM logins WHERE (company_id = '$session_company_id' AND login_password IS NOT NULL) LIMIT 5");
foreach ($sql as $row){