MPOS/php-mpos

View on GitHub
include/pages/admin/checks/check_security.inc.php

Summary

Maintainability
A
0 mins
Test Coverage
<?php
$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;

// check if password salts are sane
if (strlen($config['SALT']) < 24 || strlen($config['SALTY']) < 24 || $config['SALT'] == 'PLEASEMAKEMESOMETHINGRANDOM' || $config['SALTY'] == 'THISSHOULDALSOBERRAANNDDOOM') {
  $newerror = array();
  $newerror['name'] = "Password Salts";
  $newerror['level'] = 2;
  $newerror['extdesc'] = "Salts are important because they add a random element and 'padding' to passwords and other hashed strings. They should be changed from the default and should not be too short for increased security.";
  if ($config['SALT'] == 'PLEASEMAKEMESOMETHINGRANDOM' || $config['SALTY'] == 'THISSHOULDALSOBERRAANNDDOOM') {
    $newerror['description'] = "You absolutely <u>SHOULD NOT leave your SALT or SALTY default</u> changing them will require registering again.";
  } else {
    $newerror['description'] = "SALT or SALTY is too short, they should be more than 24 characters and changing them will require registering again.</p>";
  }
  $newerror['configvalue'] = "SALT";
  $newerror['helplink'] = "https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-defines--salts";
  $error[] = $newerror;
  $newerror = null;
}

// check if htaccess exists
if (!file_exists(BASEPATH.".htaccess")) {
  $newerror = array();
  $newerror['name'] = ".htaccess";
  $newerror['level'] = 2;
  $newerror['extdesc'] = ".htaccess files let you control who/how files are accessed for Apache. If you're using Apache for MPOS, you should be using .htaccess.";
  $htaccess_link = "<a href='https://github.com/MPOS/php-mpos/blob/next/public/.htaccess'>.htaccess</a>";
  $newerror['description'] = "You don't seem to have a .htaccess in your public folder, if you're using Apache set it up: $htaccess_link";
  $newerror['configvalue'] = ".htaccess";
  $newerror['helplink'] = "https://github.com/MPOS/php-mpos/wiki";
  $error[] = $newerror;
  $newerror = null;
}