Store credentials only in session if required #11747
Conversation
| $mountpoints = \OC_Mount_Config::getAbsoluteMountPoints($params['uid']); | ||
| $mountpointClasses = array(); | ||
| foreach($mountpoints as $mountpoint) { | ||
| $mountpointClasses[$mountpoint['class']] = ''; |
There was a problem hiding this comment.
You could set it to true.
There was a problem hiding this comment.
Good point - will change.
|
Let's schedule this for 7.0.4 - seems like a too big change for me to merge it right away so shortly before a release. This PR is there to store the user credentials only in the session (and therefore unprotected on the disk) in case the SMB_OC storage is used. Furthermore, the credentials are now stored encrypted instead of being plain text. While this PR seems big it's mostly the backport of the \OC\Security\Crypto class which we already have in master and is very useful to encrypt things with a global key. I believe it's better to backport this class instead of adding yet another encryption function just for this sake. The actual change regarding the storage is not that big: 30e39ab @karlitschek Would that be ok for you? |
|
@LukasReschke agreed |
LukasReschke
force-pushed
the
storeCredentialsOnlyInSessionIfRequired
branch
from
86e9d3c to
1835b4d
Compare
LukasReschke
changed the title
|
@icewind1991 Could you review this please? - Thank you! |
| return hash_equals($expected, $input); | ||
| } | ||
|
|
||
| $randomString = \OC_Util::generateRandomBytes(10); |
There was a problem hiding this comment.
Use the public api for random strings here?
There was a problem hiding this comment.
That's for stable7 where the interface not exists. - Master will have this changed. I don't think it makes a difference if we use the non-public API here for that. - It's doomed to die anyways.
There was a problem hiding this comment.
Ok, didn't notice this was against stable7
|
Code looks good 👍 |
LukasReschke
force-pushed
the
storeCredentialsOnlyInSessionIfRequired
branch
from
1835b4d to
539d7ce
Compare
|
@MorrisJobke Care to review this? - The backport of #11947 depends on this one. |
Conflicts: lib/repair/repairconfig.php
LukasReschke
force-pushed
the
storeCredentialsOnlyInSessionIfRequired
branch
from
539d7ce to
74b68e1
Compare
|
The inspection completed: 7 new issues, 26 updated code elements |
|
(coming from #11939) |
|
That's even more snake-oil. Let's not overcomplicate things. Especially because we regenerate the session a few times, then everything would be broken again = bad :-) |
|
(Especially because we're going to store it in mount.json anyways as is documented on the linked issue) |
|
See #12216 |
|
@Xenopathic what do you think ? |
|
I like the crypto element, it certainly makes it a bit better than storing the password raw in the session! 👍 from me |
|
🚀 Test PASSed. 🚀 |
|
Tagging as 7.0 since the backport was approved. |
|
Steps to test:
That's it. Worked for me. 👍 I'd like to wait for @jnfrmarks' feedback before merging this, to make sure there is still enough time to test this. |
|
@jnfrmarks We promised this for 7.0.4 to somebody. Can you please test this? |
|
Let's merge it then, already got three thumbs up and backport approval. |
…IfRequired Store credentials only in session if required
|
Will port to master. |
|
Master: #12523 |
|
I don't understand what the bug is. I ran through the steps listed earlier on how to reproduce the issue but I don't know what the issue is :) I was able to successfully create the smb mount and navigate through the files using 7.0.3. |
|
@jnfrmarks You need to look at the PHP session files (depends on the OS where located) when logged-in with and without the patch. But if everything works as before this means that this patch works fine - no visible changes to the user :) |
|
So far, I have only tested this with 7.0.3 - I'm trying to reproduce the original issue. Where do I look for the php session files? My server is on either CentOS or Ubuntu (I'm testing with both) |
Depends on your operating system Ubuntu is AFAIK |
Fixes: