deprecate encrypted feed passwords because mcrypt is getting removed from php 7.1

1. transparent decryption for existing installs stays for the time being
2. new passwords are not going to be encrypted even if FEED_CRYPT_KEY is defined
3. added update.php --decrypt-feeds to bulk decrypt existing encrypted passwords
4. updated install to not auto-generate crypt key
5. added warning to config.php-dist

diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php
index 2803d68ecfd6537ed213aa83848d2bf71b99ec4c..6795236d5310b4b28063c92fd25e24687c8d8a34 100755 (executable)
--- a/classes/pref/feeds.php
+++ b/classes/pref/feeds.php
@@ -646,7 +646,7 @@ class Pref_Feeds extends Handler_Protected {
 
                $auth_pass = $this->dbh->fetch_result($result, 0, "auth_pass");
 
-               if ($auth_pass_encrypted) {
+               if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
                        require_once "crypt.php";
                        $auth_pass = decrypt_string($auth_pass);
                }
@@ -983,14 +983,7 @@ class Pref_Feeds extends Handler_Protected {
 
                $feed_language = $this->dbh->escape_string(trim($_POST["feed_language"]));
 
-               if (strlen(FEED_CRYPT_KEY) > 0) {
-                       require_once "crypt.php";
-                       $auth_pass = substr(encrypt_string($auth_pass), 0, 250);
-                       $auth_pass_encrypted = 'true';
-               } else {
-                       $auth_pass_encrypted = 'false';
-               }
-
+               $auth_pass_encrypted = 'false';
                $auth_pass = $this->dbh->escape_string($auth_pass);
 
                if (get_pref('ENABLE_FEED_CATS')) {
@@ -1889,14 +1882,7 @@ class Pref_Feeds extends Handler_Protected {
                                        "SELECT id FROM ttrss_feeds
                                        WHERE feed_url = '$feed' AND owner_uid = ".$_SESSION["uid"]);
 
-                               if (strlen(FEED_CRYPT_KEY) > 0) {
-                                       require_once "crypt.php";
-                                       $pass = substr(encrypt_string($pass), 0, 250);
-                                       $auth_pass_encrypted = 'true';
-                               } else {
-                                       $auth_pass_encrypted = 'false';
-                               }
-
+                               $auth_pass_encrypted = 'false';
                                $pass = $this->dbh->escape_string($pass);
 
                                if ($this->dbh->num_rows($result) == 0) {

diff --git a/config.php-dist b/config.php-dist
index 2eaaab6173de0d68bb01243338346957399abf7f..c86af943be85da8c1b4be0f3fa75b2a88a0dd4c3 100644 (file)
--- a/config.php-dist
+++ b/config.php-dist
@@ -25,6 +25,11 @@
        // including PUSH, bookmarklets and browser integration will not work properly.
 
        define('FEED_CRYPT_KEY', '');
+       // WARNING: mcrypt is deprecated in php 7.1. This directive exists for backwards
+       // compatibility with existing installs, new passwords are NOT going to be encrypted.
+       // Use update.php --decrypt-feeds to decrypt existing passwords in the database while
+       // mcrypt is still available.
+
        // Key used for encryption of passwords for password-protected feeds
        // in the database. A string of 24 random characters. If left blank, encryption
        // is not used. Requires mcrypt functions.

diff --git a/include/crypt.php b/include/crypt.php
index f06483ef118a963b0a074ea8009bc697158f0d08..217ad3b0fb5197447dca51a9b311256152bb4ee6 100644 (file)
--- a/include/crypt.php
+++ b/include/crypt.php
@@ -18,19 +18,4 @@
 
                return false;
        }
-
-       function encrypt_string($str) {
-               $key = hash('SHA256', FEED_CRYPT_KEY, true);
-
-               $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,
-                       MCRYPT_MODE_CBC), MCRYPT_RAND);
-
-               $encstr = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $str,
-                       MCRYPT_MODE_CBC, $iv);
-
-               $iv_base64 = base64_encode($iv);
-               $encstr_base64 = base64_encode($encstr);
-
-               return "$iv_base64:$encstr_base64";
-       }
 ?>

diff --git a/include/functions.php b/include/functions.php
index f10c3a00b0015e650958f17c63d601b189064051..ce7627d5a77cd859600304b989c359a4b50e651e 100755 (executable)
--- a/include/functions.php
+++ b/include/functions.php
@@ -1749,14 +1749,7 @@
                        "SELECT id FROM ttrss_feeds
                        WHERE feed_url = '$url' AND owner_uid = ".$_SESSION["uid"]);
 
-               if (strlen(FEED_CRYPT_KEY) > 0) {
-                       require_once "crypt.php";
-                       $auth_pass = substr(encrypt_string($auth_pass), 0, 250);
-                       $auth_pass_encrypted = 'true';
-               } else {
-                       $auth_pass_encrypted = 'false';
-               }
-
+               $auth_pass_encrypted = 'false';
                $auth_pass = db_escape_string($auth_pass);
 
                if (db_num_rows($result) == 0) {

diff --git a/include/rssfuncs.php b/include/rssfuncs.php
index e667df41f99d2596ca594ca6f048a2e437d3c9f8..6c342971fc9b73bc93094cdeb3633d1f0be9649c 100644 (file)
--- a/include/rssfuncs.php
+++ b/include/rssfuncs.php
@@ -254,7 +254,7 @@
                $auth_login = db_fetch_result($result, 0, "auth_login");
                $auth_pass = db_fetch_result($result, 0, "auth_pass");
 
-               if ($auth_pass_encrypted) {
+               if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
                        require_once "crypt.php";
                        $auth_pass = decrypt_string($auth_pass);
                }
@@ -347,7 +347,7 @@
                $auth_login = db_fetch_result($result, 0, "auth_login");
                $auth_pass = db_fetch_result($result, 0, "auth_pass");
 
-               if ($auth_pass_encrypted) {
+               if ($auth_pass_encrypted && function_exists("mcrypt_decrypt")) {
                        require_once "crypt.php";
                        $auth_pass = decrypt_string($auth_pass);
                }

diff --git a/install/index.php b/install/index.php
index 00e90dfe7c8d8db348cfc35d3de9a3f63e7035b5..16314edf651a25aa27e555e3bcf1ea1a6aec3320 100755 (executable)
--- a/install/index.php
+++ b/install/index.php
@@ -128,12 +128,6 @@
 
                $finished = false;
 
-               if (function_exists("mcrypt_decrypt")) {
-                       $crypt_key = make_password(24);
-               } else {
-                       $crypt_key = "";
-               }
-
                foreach ($data as $line) {
                        if (preg_match("/define\('DB_TYPE'/", $line)) {
                                $rv .= "\tdefine('DB_TYPE', '$DB_TYPE');\n";
@@ -149,8 +143,6 @@
                                $rv .= "\tdefine('DB_PORT', '$DB_PORT');\n";
                        } else if (preg_match("/define\('SELF_URL_PATH'/", $line)) {
                                $rv .= "\tdefine('SELF_URL_PATH', '$SELF_URL_PATH');\n";
-                       } else if (preg_match("/define\('FEED_CRYPT_KEY'/", $line)) {
-                               $rv .= "\tdefine('FEED_CRYPT_KEY', '$crypt_key');\n";
                        } else if (!$finished) {
                                $rv .= "$line\n";
                        }

diff --git a/update.php b/update.php
index 65cf9f06efbea909b923a305abf6d954dca1b020..821d25bce27c5262d65cdfddd62adea65b88e24c 100755 (executable)
--- a/update.php
+++ b/update.php
@@ -38,6 +38,7 @@
                        "debug-feed:",
                        "force-refetch",
                        "force-rehash",
+                       "decrypt-feeds",
                        "help");
 
        foreach (PluginHost::getInstance()->get_commands() as $command => $data) {
@@ -91,6 +92,7 @@
                print "  --debug-feed N       - perform debug update of feed N\n";
                print "  --force-refetch      - debug update: force refetch feed data\n";
                print "  --force-rehash       - debug update: force rehash articles\n";
+               print "  --decrypt-feeds      - decrypt feed passwords\n";
                print "  --help               - show this help\n";
                print "Plugin options:\n";
 
@@ -402,6 +404,36 @@
                update_rss_feed($feed);
        }
 
+       if (isset($options["decrypt-feeds"])) {
+               $result = db_query("SELECT id, auth_pass FROM ttrss_feeds WHERE auth_pass_encrypted = true");
+
+               if (!function_exists("mcrypt_decrypt")) {
+                       _debug("mcrypt functions not available.");
+                       return;
+               }
+
+               require_once "crypt.php";
+
+               $total = 0;
+
+               db_query("BEGIN");
+
+               while ($line = db_fetch_assoc($result)) {
+                       _debug("processing feed id " . $line["id"]);
+
+                       $auth_pass = db_escape_string(decrypt_string($line["auth_pass"]));
+
+                       db_query("UPDATE ttrss_feeds SET auth_pass_encrypted = false, auth_pass = '$auth_pass' 
+                               WHERE id = " . $line["id"]);
+
+                       ++$total;
+               }
+
+               db_query("COMMIT");
+
+               _debug("$total feeds processed.");
+       }
+
        PluginHost::getInstance()->run_commands($options);
 
        if (file_exists(LOCK_DIRECTORY . "/$lock_filename"))