From c60bbb646884a95d0ce92f134acfa9eac608692f Mon Sep 17 00:00:00 2001 From: Dakota Gravitt Date: Fri, 25 Jul 2025 22:43:17 -0500 Subject: [PATCH] Prevent accidental deployment with default credentials - Removed: Default password hash from config-sample.php and inc.php - Clear instructions recommending users set a password hash Fix create.php api: - perform str_replace if acceptLang value is true to allow create.php via manual curl command for testing to work - curl -X POST http://localhost:8080/api/create.php -d "dur=300&int=5&pwd=hauk-test-password" will now work --- backend-php/include/config-sample.php | 8 ++++---- backend-php/include/inc.php | 5 +++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/backend-php/include/config-sample.php b/backend-php/include/config-sample.php index 9b9d07d..8c87ebf 100644 --- a/backend-php/include/config-sample.php +++ b/backend-php/include/config-sample.php @@ -74,10 +74,10 @@ // data to Hauk. To generate this value on the terminal: // - MD5 (insecure!): openssl passwd -1 // - bcrypt (secure): htpasswd -nBC 10 "" | tail -c +2 -"password_hash" => '$2y$10$4ZP1iY8A3dZygXoPgsXYV.S3gHzBbiT9nSfONjhWrvMxVPkcFq1Ka', -// Default value above is empty string (no password) and is VERY INSECURE. -// Trust me, you really should change this unless you intentionally want a -// public instance that anyone in the world can use freely. +"password_hash" => '', +// REQUIRED: You MUST set a password hash before using Hauk! +// The default empty value will not allow any connections. +// Generate a secure password hash using: htpasswd -nBC 10 "" | tail -c +2 // // Also note that users have the option to save the server password locally on // their devices using a "Remember password" checkbox. If they choose to do so, diff --git a/backend-php/include/inc.php b/backend-php/include/inc.php index 690a93a..6cec09d 100644 --- a/backend-php/include/inc.php +++ b/backend-php/include/inc.php @@ -64,8 +64,9 @@ const METERS_PER_SECOND = array( include(__DIR__."/lang/en/texts.php"); // Load the preferred language. -$acceptLang = str_replace("-", "_", filter_input(INPUT_SERVER, "HTTP_ACCEPT_LANGUAGE")); +$acceptLang = filter_input(INPUT_SERVER, "HTTP_ACCEPT_LANGUAGE"); if ($acceptLang) { + $acceptLang = str_replace("-", "_", $acceptLang); // Split the Accept-Language header into an array of possible languages. preg_match_all("/(([a-z]{1,8})(_([a-zA-Z]{1,8}))?)(\s*;\s*q\s*=\s*([01](\.\d{0,3})?))?\s*(,|$)/i", $acceptLang, $clientReq, PREG_SET_ORDER); @@ -124,7 +125,7 @@ const DEFAULTS = array( "redis_auth" => '', "redis_prefix" => 'hauk', "auth_method" => PASSWORD, - "password_hash" => '$2y$10$4ZP1iY8A3dZygXoPgsXYV.S3gHzBbiT9nSfONjhWrvMxVPkcFq1Ka', + "password_hash" => '', "htpasswd_path" => '/etc/hauk/users.htpasswd', "ldap_uri" => 'ldaps://ldap.example.com:636', "ldap_start_tls" => false,