Better RNG choosen (mt_rand()), writing initial secret file fixed, thanks to profi...

[mailer.git] / inc / gen_sql_patches.php

diff --git a/inc/gen_sql_patches.php b/inc/gen_sql_patches.php
index 5876e3d5fd88c71dc607c5da7eb37dfc6958e750..f4251010df6d9bfe929759eb0c09f4d4acff4dc2 100644 (file)
--- a/inc/gen_sql_patches.php
+++ b/inc/gen_sql_patches.php
@@ -47,41 +47,41 @@ if (empty($_CONFIG['pass_scramble'])) {
 
        // ... and store it there for future usage
        $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET pass_scramble='%s' WHERE config=0 LIMIT 1",
-        array($scrambleString), __FILE__, __LINE__);
+               array($scrambleString), __FILE__, __LINE__);
 
        // Also remember it in config
        $_CONFIG['pass_scramble'] = $scrambleString;
        unset($scrambleString);
-}
+} // END - if
 
 // Check if there is no master salt string
 if (empty($_CONFIG['master_salt'])) {
        // Generate the master salt which is the first chars minus 40 chars of this random hash
        // We do an extra scrambling here...
-       $masterSalt = scrambleString(substr(generateHash(GEN_PASS(rand(128, 256))), 0, -40));
+       $masterSalt = scrambleString(substr(generateHash(GEN_PASS(mt_rand(128, 256))), 0, -40));
 
        // ... and store it there for future usage
        $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET master_salt='%s' WHERE config=0 LIMIT 1",
-        array($masterSalt), __FILE__, __LINE__);
+               array($masterSalt), __FILE__, __LINE__);
 
        // Also remember it in config
        $_CONFIG['master_salt'] = $masterSalt;
        unset($masterSalt);
-}
+} // END - if
 
 if (empty($_CONFIG['file_hash'])) {
        // Create filename from hashed random string
-       $file_hash = generateHash(GEN_PASS(rand(128, 256)));
-       $file = sprintf("%sinc/.secret/.%s", PATH, $file_hash);
+       $file_hash = generateHash(sha1(GEN_PASS(mt_rand(128, 256))));
+       $file = PATH."inc/.secret/.".$file_hash;
 
        // File hash was never created
        $fp = @fopen($file, 'w') or mxchange_die("Cannot write secret key file!");
        if ($fp != false) {
                // Could write to secret file! So let's generate the secret key...
                // 1. Count of chars to be taken from back of the string
-               $nums = rand(40, 45);
+               $nums = mt_rand(40, 45);
                // 2. Generate secret key from a randomized string
-               $secretKey = substr(generateHash(GEN_PASS(rand(128, 256))), -$nums);
+               $secretKey = substr(generateHash(GEN_PASS(mt_rand(128, 256))), -$nums);
                // 3. Write the key to the file
                fwrite($fp, $secretKey);
                // 4. Close file
@@ -97,17 +97,23 @@ if (empty($_CONFIG['file_hash'])) {
 
                // Write $file_hash to database
                $result = SQL_QUERY_ESC("UPDATE "._MYSQL_PREFIX."_config SET file_hash='%s' WHERE config=0 LIMIT 1",
-                array($file_hash), __FILE__, __LINE__);
+                       array($file_hash), __FILE__, __LINE__);
 
-               // Also update configuration
-               $_CONFIG['secret_key'] = $secretKey;
-               $_CONFIG['file_hash']  = $file_hash;
+               // Also create .htaccess file
+               $fp = @fopen(PATH."inc/.secret/.htaccess", 'w') or mxchange_die("Cannot write to .htaccess file!");
+               if ($fp != false) {
+                       // Add deny line to file
+                       fwrite($fp, "Deny from all");
 
-               // And remove some variables
-               unset($secretKey);
-               unset($file_hash);
-       }
-}
+                       // Close the file
+                       fclose($fp);
+               } // END - if
+
+               // Also update configuration
+               $_CONFIG['secret_key'] = $secretKey; unset($secretKey);
+               $_CONFIG['file_hash']  = $file_hash; unset($file_hash);
+       } // END - if
+} // END - if
 
 //
-?>
+?>
\ No newline at end of file