diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2015-05-26 14:11:38 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2015-05-26 14:16:07 +0200 |
| commit | bc6d17ed74a20c35ddb21f5f6b7b644664e5275c (patch) | |
| tree | 80991e705aa9132d3c802b8383284c110f97dccc /core/js/tests/specs/setupchecksSpec.js | |
| parent | b82d902e184960877110bc45124ed2399f779cac (diff) | |
| download | nextcloud-server-bc6d17ed74a20c35ddb21f5f6b7b644664e5275c.tar.gz nextcloud-server-bc6d17ed74a20c35ddb21f5f6b7b644664e5275c.zip | |
Add check for availability of /dev/urandom
Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system:
1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop
2. MTRand: chr((mt_rand() ^ mt_rand()) % 256)
3. Rand: chr((rand() ^ rand()) % 256)
4. UniqId: Plain uniqid()
An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour.
One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface.
Thanks to David Black from d1b.org for bringing this again to our attention.
Diffstat (limited to 'core/js/tests/specs/setupchecksSpec.js')
| -rw-r--r-- | core/js/tests/specs/setupchecksSpec.js | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 3e6382603f5..65de3d0321d 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -66,7 +66,7 @@ describe('OC.SetupChecks tests', function() { { 'Content-Type': 'application/json' }, - JSON.stringify({serverHasInternetConnection: false, memcacheDocs: 'https://doc.owncloud.org/server/go.php?to=admin-performance'}) + JSON.stringify({isUrandomAvailable: true, serverHasInternetConnection: false, memcacheDocs: 'https://doc.owncloud.org/server/go.php?to=admin-performance'}) ); async.done(function( data, s, x ){ @@ -83,7 +83,7 @@ describe('OC.SetupChecks tests', function() { { 'Content-Type': 'application/json' }, - JSON.stringify({serverHasInternetConnection: false, dataDirectoryProtected: false, memcacheDocs: 'https://doc.owncloud.org/server/go.php?to=admin-performance'}) + JSON.stringify({isUrandomAvailable: true, serverHasInternetConnection: false, dataDirectoryProtected: false, memcacheDocs: 'https://doc.owncloud.org/server/go.php?to=admin-performance'}) ); async.done(function( data, s, x ){ @@ -100,7 +100,7 @@ describe('OC.SetupChecks tests', function() { { 'Content-Type': 'application/json', }, - JSON.stringify({serverHasInternetConnection: false, dataDirectoryProtected: false, isMemcacheConfigured: true}) + JSON.stringify({isUrandomAvailable: true, serverHasInternetConnection: false, dataDirectoryProtected: false, isMemcacheConfigured: true}) ); async.done(function( data, s, x ){ @@ -109,6 +109,22 @@ describe('OC.SetupChecks tests', function() { }); }); + it('should return an error if /dev/urandom is not accessible', function(done) { + var async = OC.SetupChecks.checkSetup(); + + suite.server.requests[0].respond( + 200, + { + 'Content-Type': 'application/json', + }, + JSON.stringify({isUrandomAvailable: false, securityDocs: 'https://docs.owncloud.org/myDocs.html', serverHasInternetConnection: true, dataDirectoryProtected: true, isMemcacheConfigured: true}) + ); + + async.done(function( data, s, x ){ + expect(data).toEqual(['/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a href="https://docs.owncloud.org/myDocs.html">documentation</a>.']); + done(); + }); + }); it('should return an error if the response has no statuscode 200', function(done) { var async = OC.SetupChecks.checkSetup(); |