-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harden updater authentication #22276
Conversation
@karlitschek @VicDeo @DeepDiver1975 Please review. |
👍 |
👍 Can we do a bit longer then 2 hours please? I'm worried that we are running into timeout situation here. I don't think there is harm done when we do 2 days instead of 2 hours. |
Fair enough. Let's make it two days, considering this change it's also not that critical anymore as before. |
- Reset tokens after 2 hours as discussed at owncloud/updater#220 (comment) - Used BCrypt for storing the password in the config.php. This makes it substantially harder in case of a leakage of the token to bruteforce it. In the future we can evaluate also an HMAC including the IP. That's a bit tricker though at the moment considering that we support reverse proxies. Didn't feel brave enough to touch that dragon now as well ;)
1c44692
to
5680743
Compare
2 days it is 😉 |
👍 Tested |
Harden updater authentication
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Reason behind this that if somebody is able to read the config file somehow this won't immediately result in a RCE.
Requires owncloud/updater#239