diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php index 2803d68ec..6795236d5 100755 --- a/classes/pref/feeds.php +++ b/classes/pref/feeds.php @@ -646,7 +646,7 @@ class Pref_Feeds extends Handler_Protected { $auth_pass = $this->dbh->fetch_result($result, 0, "auth_pass"); - if ($auth_pass_encrypted) { + if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { require_once "crypt.php"; $auth_pass = decrypt_string($auth_pass); } @@ -983,14 +983,7 @@ class Pref_Feeds extends Handler_Protected { $feed_language = $this->dbh->escape_string(trim($_POST["feed_language"])); - if (strlen(FEED_CRYPT_KEY) > 0) { - require_once "crypt.php"; - $auth_pass = substr(encrypt_string($auth_pass), 0, 250); - $auth_pass_encrypted = 'true'; - } else { - $auth_pass_encrypted = 'false'; - } - + $auth_pass_encrypted = 'false'; $auth_pass = $this->dbh->escape_string($auth_pass); if (get_pref('ENABLE_FEED_CATS')) { @@ -1889,14 +1882,7 @@ class Pref_Feeds extends Handler_Protected { "SELECT id FROM ttrss_feeds WHERE feed_url = '$feed' AND owner_uid = ".$_SESSION["uid"]); - if (strlen(FEED_CRYPT_KEY) > 0) { - require_once "crypt.php"; - $pass = substr(encrypt_string($pass), 0, 250); - $auth_pass_encrypted = 'true'; - } else { - $auth_pass_encrypted = 'false'; - } - + $auth_pass_encrypted = 'false'; $pass = $this->dbh->escape_string($pass); if ($this->dbh->num_rows($result) == 0) { diff --git a/config.php-dist b/config.php-dist index 2eaaab617..c86af943b 100644 --- a/config.php-dist +++ b/config.php-dist @@ -25,6 +25,11 @@ // including PUSH, bookmarklets and browser integration will not work properly. define('FEED_CRYPT_KEY', ''); + // WARNING: mcrypt is deprecated in php 7.1. This directive exists for backwards + // compatibility with existing installs, new passwords are NOT going to be encrypted. + // Use update.php --decrypt-feeds to decrypt existing passwords in the database while + // mcrypt is still available. + // Key used for encryption of passwords for password-protected feeds // in the database. A string of 24 random characters. If left blank, encryption // is not used. Requires mcrypt functions. diff --git a/include/crypt.php b/include/crypt.php index f06483ef1..217ad3b0f 100644 --- a/include/crypt.php +++ b/include/crypt.php @@ -18,19 +18,4 @@ return false; } - - function encrypt_string($str) { - $key = hash('SHA256', FEED_CRYPT_KEY, true); - - $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, - MCRYPT_MODE_CBC), MCRYPT_RAND); - - $encstr = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $str, - MCRYPT_MODE_CBC, $iv); - - $iv_base64 = base64_encode($iv); - $encstr_base64 = base64_encode($encstr); - - return "$iv_base64:$encstr_base64"; - } ?> diff --git a/include/functions.php b/include/functions.php index f10c3a00b..ce7627d5a 100755 --- a/include/functions.php +++ b/include/functions.php @@ -1749,14 +1749,7 @@ "SELECT id FROM ttrss_feeds WHERE feed_url = '$url' AND owner_uid = ".$_SESSION["uid"]); - if (strlen(FEED_CRYPT_KEY) > 0) { - require_once "crypt.php"; - $auth_pass = substr(encrypt_string($auth_pass), 0, 250); - $auth_pass_encrypted = 'true'; - } else { - $auth_pass_encrypted = 'false'; - } - + $auth_pass_encrypted = 'false'; $auth_pass = db_escape_string($auth_pass); if (db_num_rows($result) == 0) { diff --git a/include/rssfuncs.php b/include/rssfuncs.php index e667df41f..6c342971f 100644 --- a/include/rssfuncs.php +++ b/include/rssfuncs.php @@ -254,7 +254,7 @@ $auth_login = db_fetch_result($result, 0, "auth_login"); $auth_pass = db_fetch_result($result, 0, "auth_pass"); - if ($auth_pass_encrypted) { + if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { require_once "crypt.php"; $auth_pass = decrypt_string($auth_pass); } @@ -347,7 +347,7 @@ $auth_login = db_fetch_result($result, 0, "auth_login"); $auth_pass = db_fetch_result($result, 0, "auth_pass"); - if ($auth_pass_encrypted) { + if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) { require_once "crypt.php"; $auth_pass = decrypt_string($auth_pass); } diff --git a/install/index.php b/install/index.php index 00e90dfe7..16314edf6 100755 --- a/install/index.php +++ b/install/index.php @@ -128,12 +128,6 @@ $finished = false; - if (function_exists("mcrypt_decrypt")) { - $crypt_key = make_password(24); - } else { - $crypt_key = ""; - } - foreach ($data as $line) { if (preg_match("/define\('DB_TYPE'/", $line)) { $rv .= "\tdefine('DB_TYPE', '$DB_TYPE');\n"; @@ -149,8 +143,6 @@ $rv .= "\tdefine('DB_PORT', '$DB_PORT');\n"; } else if (preg_match("/define\('SELF_URL_PATH'/", $line)) { $rv .= "\tdefine('SELF_URL_PATH', '$SELF_URL_PATH');\n"; - } else if (preg_match("/define\('FEED_CRYPT_KEY'/", $line)) { - $rv .= "\tdefine('FEED_CRYPT_KEY', '$crypt_key');\n"; } else if (!$finished) { $rv .= "$line\n"; } diff --git a/update.php b/update.php index 65cf9f06e..821d25bce 100755 --- a/update.php +++ b/update.php @@ -38,6 +38,7 @@ "debug-feed:", "force-refetch", "force-rehash", + "decrypt-feeds", "help"); foreach (PluginHost::getInstance()->get_commands() as $command => $data) { @@ -91,6 +92,7 @@ print " --debug-feed N - perform debug update of feed N\n"; print " --force-refetch - debug update: force refetch feed data\n"; print " --force-rehash - debug update: force rehash articles\n"; + print " --decrypt-feeds - decrypt feed passwords\n"; print " --help - show this help\n"; print "Plugin options:\n"; @@ -402,6 +404,36 @@ update_rss_feed($feed); } + if (isset($options["decrypt-feeds"])) { + $result = db_query("SELECT id, auth_pass FROM ttrss_feeds WHERE auth_pass_encrypted = true"); + + if (!function_exists("mcrypt_decrypt")) { + _debug("mcrypt functions not available."); + return; + } + + require_once "crypt.php"; + + $total = 0; + + db_query("BEGIN"); + + while ($line = db_fetch_assoc($result)) { + _debug("processing feed id " . $line["id"]); + + $auth_pass = db_escape_string(decrypt_string($line["auth_pass"])); + + db_query("UPDATE ttrss_feeds SET auth_pass_encrypted = false, auth_pass = '$auth_pass' + WHERE id = " . $line["id"]); + + ++$total; + } + + db_query("COMMIT"); + + _debug("$total feeds processed."); + } + PluginHost::getInstance()->run_commands($options); if (file_exists(LOCK_DIRECTORY . "/$lock_filename"))