BUG 6948 Database connection credentials are stored in plain text

This issue was fixed, added a way to encryp the passwords
2011-06-10 16:07:53 -04:00
parent 14b44b3efd
commit 4fa0269696
3 changed files with 65 additions and 7 deletions
--- a/workflow/engine/classes/class.dbConnections.php
+++ b/workflow/engine/classes/class.dbConnections.php
@@ -396,4 +396,56 @@ class dbConnections
    return $aRet;
  }
  
+  /**
+   * Function encryptThepassw
+   * @author krlos Pacha C. <carlos@colosa.com>
+   * @access public
+   * @param string proUid
+   * @return void
+   */
+  public function encryptThepassw($proUid){
+    $oDBSource   = new DbSource();
+  
+    $c = new Criteria();
+    $c->clearSelectColumns();
+    $c->addSelectColumn(DbSourcePeer::DBS_UID);
+    $c->addSelectColumn(DbSourcePeer::DBS_DATABASE_NAME);    
+    $c->addSelectColumn(DbSourcePeer::DBS_PASSWORD);
+    $c->add(DbSourcePeer::PRO_UID, $proUid);
+    $result = DbSourcePeer::doSelectRS($c);
+    $result->next();
+    $row = $result->getRow();
+    while ($row = $result->getRow()) {
+     if($row[2]!=''){
+      $aPass = explode('_', $row[2]);
+      if(count($aPass)==1) {
+       $passEncrypt = G::encrypt($row[2], $row[1]);
+       $passEncrypt.="_2NnV3ujj3w";
+       $c2 = new Criteria('workflow');
+       $c2->add(DbSourcePeer::DBS_PASSWORD, $passEncrypt);
+       $c3 = new Criteria('workflow');
+       $c3->add(DbSourcePeer::DBS_UID, $row[0]);
+       BasePeer::doUpdate($c3, $c2, Propel::getConnection('workflow'));
+      }
+     }
+      $result->next();
+    }
+   return 1;
+  }
+  /**
+   * Function getPassWithoutEncrypt
+   * @author krlos Pacha C. <carlos@colosa.com>
+   * @access public
+   * @param string passw
+   * @return string
+   */
+  public function getPassWithoutEncrypt($aInfoCon){
+   if($aInfoCon['DBS_PASSWORD']!=''){
+    $aPassw =explode('_',$aInfoCon['DBS_PASSWORD']);
+    $passw = $aPassw[0];
+    if(sizeof($aPassw)>1)
+      $passw = ($passw == 'none') ? "": G::decrypt($passw,$aInfoCon['DBS_DATABASE_NAME']);
+   }
+  return $passw;
+  }
 }
--- a/workflow/engine/methods/dbConnections/dbConnectionsAjax.php
+++ b/workflow/engine/methods/dbConnections/dbConnectionsAjax.php
@@ -102,6 +102,9 @@ switch ( $action ){
 		$dbServices = $dbs->getDbServicesAvailables();
 		$dbService = $dbs->getEncondeList();
 		
+              //we are updating the passwords with encrupt info
+               $dbs->encryptThepassw($_SESSION['PROCESS']);
+              //end updating
  
 		$rows[] = array('uid' => 'char', 'name' => 'char');

@@ -134,7 +137,8 @@ switch ( $action ){
 		if ($aFields['DBS_PORT'] == '0') {
 		  $aFields['DBS_PORT'] = '';
 		}
-
+               $aFields['DBS_PASSWORD']=$dbs->getPassWithoutEncrypt($aFields['DBS_PASSWORD']);
+               $aFields['DBS_PASSWORD']=($aFields['DBS_PASSWORD'] == 'none') ? "": G::decrypt($aFields['DBS_PASSWORD'], $aFields['DBS_DATABASE_NAME']);
 		$G_PUBLISH->AddContent('xmlform', 'xmlform', 'dbConnections/dbConnections_Edit', '', $aFields);
 		G::RenderPage('publish', 'raw');
 		break;
@@ -150,7 +154,7 @@ switch ( $action ){
 			'DBS_SERVER' => $_POST['server'],
 			'DBS_DATABASE_NAME' => $_POST['db_name'],
 			'DBS_USERNAME' => $_POST['user'],
-			'DBS_PASSWORD' => (($_POST['passwd'] == 'none') ? "": $_POST['passwd']),
+			'DBS_PASSWORD' => (($_POST['passwd'] == 'none') ? "": G::encrypt($_POST['passwd'], $_POST['db_name']))."_2NnV3ujj3w",
 			'DBS_PORT' => (($_POST['port'] == 'none') ? "": $_POST['port']),
 			'DBS_ENCODE' => $_POST['enc']
 		);
@@ -170,7 +174,7 @@ switch ( $action ){
 			'DBS_SERVER' => $_POST['server'],
 			'DBS_DATABASE_NAME' => $_POST['db_name'],
 			'DBS_USERNAME' => $_POST['user'],
-			'DBS_PASSWORD' => (($_POST['passwd'] == 'none') ? "": $_POST['passwd']),
+			'DBS_PASSWORD' => (($_POST['passwd'] == 'none') ? "": G::encrypt($_POST['passwd'], $_POST['db_name']))."_2NnV3ujj3w",
 			'DBS_PORT' => (($_POST['port'] == 'none') ? "": $_POST['port']),
 			'DBS_ENCODE' => $_POST['enc']
 		);
--- a/workflow/engine/methods/dbConnections/genericDbConnections.php
+++ b/workflow/engine/methods/dbConnections/genericDbConnections.php
@@ -7,8 +7,10 @@
 if( isset($_SESSION['PROCESS']) ){
    $pro = include (PATH_CORE . "config/databases.php");
    G::LoadClass('dbConnections');
+
    $oDbConnections = new dbConnections($_SESSION['PROCESS']);
    foreach( $oDbConnections->connections as $db ) {
+        $db['DBS_PASSWORD'] = $oDbConnections->getPassWithoutEncrypt($db);
        $dbsPort = ($db['DBS_PORT'] == '') ? ('') : (':'.$db['DBS_PORT']);
        $ENCODE = (trim($db['DBS_ENCODE']) == '')? '': '?encoding=' . $db['DBS_ENCODE'];
        $pro['datasources'][$db['DBS_UID']]['connection'] = $db['DBS_TYPE'] . '://' . $db['DBS_USERNAME'] . ':' . $db['DBS_PASSWORD'] . '@' . $db['DBS_SERVER'] .$dbsPort. '/' . $db['DBS_DATABASE_NAME'] . $ENCODE;