From bc6d17ed74a20c35ddb21f5f6b7b644664e5275c Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 26 May 2015 14:11:38 +0200 Subject: Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention. --- tests/settings/controller/CheckSetupControllerTest.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'tests/settings/controller') diff --git a/tests/settings/controller/CheckSetupControllerTest.php b/tests/settings/controller/CheckSetupControllerTest.php index 26f9f4e9459..b21e78c831d 100644 --- a/tests/settings/controller/CheckSetupControllerTest.php +++ b/tests/settings/controller/CheckSetupControllerTest.php @@ -224,10 +224,14 @@ class CheckSetupControllerTest extends TestCase { $this->util->expects($this->once()) ->method('isHtaccessWorking') ->will($this->returnValue(true)); - $this->urlGenerator->expects($this->once()) + $this->urlGenerator->expects($this->at(0)) ->method('linkToDocs') ->with('admin-performance') ->willReturn('http://doc.owncloud.org/server/go.php?to=admin-performance'); + $this->urlGenerator->expects($this->at(1)) + ->method('linkToDocs') + ->with('admin-security') + ->willReturn('https://doc.owncloud.org/server/8.1/admin_manual/configuration_server/hardening.html'); $expected = new DataResponse( [ @@ -235,6 +239,8 @@ class CheckSetupControllerTest extends TestCase { 'dataDirectoryProtected' => true, 'isMemcacheConfigured' => true, 'memcacheDocs' => 'http://doc.owncloud.org/server/go.php?to=admin-performance', + 'isUrandomAvailable' => \Test_Helper::invokePrivate($this->checkSetupController, 'isUrandomAvailable'), + 'securityDocs' => 'https://doc.owncloud.org/server/8.1/admin_manual/configuration_server/hardening.html', ] ); $this->assertEquals($expected, $this->checkSetupController->check()); -- cgit v1.2.3