forked from openprivacy/lockbox-web
Compare commits
2 Commits
Author | SHA1 | Date |
---|---|---|
erinn | f3c7f1cc0b | |
erinn | c168f7c88e |
|
@ -1,3 +1,8 @@
|
|||
![](./img/logo.png)
|
||||
|
||||
This is the PHP/webserver component for Lockbox. For instructions visit [the Lockbox app's main repository](https://git.openprivacy.ca/openprivacy/lockbox).
|
||||
This is the PHP/webserver component for Lockbox. For instructions visit [the Lockbox app's main repository](https://git.openprivacy.ca/openprivacy/lockbox).
|
||||
|
||||
|
||||
### Acknowledgements
|
||||
|
||||
* thanks to Steve Weis (@sweis) for reporting a potential timing attack against admin password validation
|
|
@ -2,7 +2,9 @@
|
|||
|
||||
require_once 'php/config.inc.php';
|
||||
|
||||
$password = "sexworkiswork";
|
||||
// To generate a password hash, use the following command on a secure local machine:
|
||||
// php -r 'echo password_hash("adminpasswordhere", PASSWORD_DEFAULT);'
|
||||
$password = '$2y$10$ORfmg3iGr25X2Y.MYxTp5OxYC02dUF8swQ/dbeYreMR0ea0LIUk0u';
|
||||
|
||||
define('FORMCONTENTS', '<form method="post">
|
||||
<p>Password: <input type="password" name="password"> <input type="submit" class="button-primary" value="Download encrypted submissions"></p>
|
||||
|
@ -30,7 +32,7 @@ if (count($ADMIN_IPS) > 0 && array_search($ip, $ADMIN_IPS) === false) {
|
|||
include footer;
|
||||
} else {
|
||||
if (isset($_POST) && isset($_POST['password'])) {
|
||||
if ($_POST['password'] === $password) {
|
||||
if (password_verify($_POST['password'], $password)) {
|
||||
header('Content-Type: application/octet-stream');
|
||||
header("Content-Transfer-Encoding: Binary");
|
||||
header("Content-disposition: attachment; filename=\"submissions.dat\"");
|
||||
|
|
Loading…
Reference in New Issue