detect dummy or short encryption key

src/sp_config_keywords.c

@@ -136,6 +136,19 @@ SP_PARSE_FN(parse_global) {
       {0, 0, 0}};
 
   SP_PROCESS_CONFIG_KEYWORDS_ERR();
+
+  if (SPCFG(encryption_key)) {
+    if (ZSTR_LEN(SPCFG(encryption_key)) < 10) {
+      sp_log_err("config", "The encryption key set on line %zu is too short. please use at least 10 bytes", parsed_rule->lineno);
+      return SP_PARSER_ERROR;
+    }
+    if (zend_string_equals_literal(SPCFG(encryption_key), "YOU _DO_ NEED TO CHANGE THIS WITH SOME RANDOM CHARACTERS.") ||
+        zend_string_equals_literal(SPCFG(encryption_key), "c6a0e02b3b818f7559d5f85303d8fe44")) {
+      sp_log_err("config", "The encryption key set on line %zu is an unchanged dummy value. please use a unique secret.", parsed_rule->lineno);
+      return SP_PARSER_ERROR;
+    }
+  }
+
   return SP_PARSER_STOP;
 }
 

src/tests/broken_configuration/config/broken_conf_cookie_name_and_regexp.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("my_cookie_name").name_r("my_cookie_regexp").encrypt();

src/tests/broken_configuration/config/config_encrypted_cookies_noname.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("").encrypt();
 sp.auto_cookie_secure.enable();

src/tests/broken_configuration/config/config_encrypted_regexp_cookies_bad_regexp.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name_r("^super_co[a-z+$").encrypt();
 sp.auto_cookie_secure.enable();

src/tests/broken_configuration/config/config_encryption_key_short.ini

@@ -0,0 +1 @@
+sp.global.secret_key("abcdef");

src/tests/broken_configuration/encrypt_key_too_short.phpt

@@ -0,0 +1,23 @@
+--TEST--
+Cookie encryption key too short
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/config/config_encryption_key_short.ini
+--COOKIE--
+--ENV--
+return <<<EOF
+REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php
+?>
+--EXPECT--
+PHP Fatal error:  [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] The encryption key set on line 1 is too short. please use at least 10 bytes in Unknown on line 0
+
+Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] The encryption key set on line 1 is too short. please use at least 10 bytes in Unknown on line 0
+
+Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] Invalid configuration file in Unknown on line 0
+Could not startup.

src/tests/broken_configuration/encrypt_regexp_cookies_bad_regexp.phpt

@@ -2,11 +2,12 @@
 Cookie decryption in ipv4
 --SKIPIF--
 <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID >= 80000) print "skip"; ?>
 --INI--
 sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies_bad_regexp.ini
 error_reporting=1
 --COOKIE--
-super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value;
+super_cookie=IpRZV4rivSjANrEOSxINd%2FdFe17giJgaAAAAAAAAAAAAAAAAAAAAALnmBVs%2BTILKxauHeGcUyJpR%2BX2UiZ6OamUTaWc=;awful_cookie=awful_cookie_value;
 --ENV--
 return <<<EOF
 REMOTE_ADDR=127.0.0.1

src/tests/broken_configuration_php8/broken_conf_cookie_name_and_regexp.phpt

@@ -4,7 +4,7 @@ Broken configuration - encrypted cookie with name and regexp
 <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
 <?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
 --INI--
-sp.configuration_file={PWD}/config/broken_conf_cookie_name_and_regexp.ini
+sp.configuration_file={PWD}/../broken_configuration/config/broken_conf_cookie_name_and_regexp.ini
 --FILE--
 --EXPECT--
 

src/tests/broken_configuration_php8/config/broken_conf_cookie_name_and_regexp.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("my_cookie_name").name_r("my_cookie_regexp").encrypt();

src/tests/broken_configuration_php8/config/config_encrypted_cookies_noname.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("").encrypt();
 sp.auto_cookie_secure.enable();

src/tests/broken_configuration_php8/config/config_encrypted_regexp_cookies_bad_regexp.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name_r("^super_co[a-z+$").encrypt();
 sp.auto_cookie_secure.enable();

src/tests/broken_configuration_php8/encrypt_key_too_short.phpt

@@ -0,0 +1,22 @@
+--TEST--
+Cookie encryption key too short
+--SKIPIF--
+<?php if (!extension_loaded("snuffleupagus")) print "skip"; ?>
+<?php if (PHP_VERSION_ID < 80000) print "skip"; ?>
+--INI--
+sp.configuration_file={PWD}/../broken_configuration/config/config_encryption_key_short.ini
+--COOKIE--
+--ENV--
+return <<<EOF
+REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329
+HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36
+HTTPS=1
+EOF;
+--FILE--
+<?php
+?>
+--EXPECT--
+Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] The encryption key set on line 1 is too short. please use at least 10 bytes in Unknown on line 0
+
+Fatal error: [snuffleupagus][2001:0db8:0000:0000:0000:fe00:0042:8329][config][log] Invalid configuration file in Unknown on line 0
+Could not startup.

src/tests/broken_configuration_php8/encrypt_regexp_cookies_bad_regexp.phpt

@@ -6,7 +6,7 @@ Cookie decryption in ipv4
 sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies_bad_regexp.ini
 error_reporting=1
 --COOKIE--
-super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value;
+super_cookie=IpRZV4rivSjANrEOSxINd%2FdFe17giJgaAAAAAAAAAAAAAAAAAAAAALnmBVs%2BTILKxauHeGcUyJpR%2BX2UiZ6OamUTaWc=;awful_cookie=awful_cookie_value;
 --ENV--
 return <<<EOF
 REMOTE_ADDR=127.0.0.1

src/tests/config/config_samesite_cookies.ini

@@ -1,4 +1,4 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("super_cookie").samesite("Lax");
 sp.cookie.name("awful_cookie").samesite("strict").encrypt();
 sp.cookie.name("nice_cookie").samesite("STRICT").encrypt();

src/tests/config/phplog.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");
 sp.unserialize_hmac.enable();
 sp.log_media("php");

src/tests/config/sid_length_limit.ini

@@ -0,0 +1 @@
+sp.session.sid_min_length("10").sid_max_length("32");

src/tests/config/syslog.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");
 sp.unserialize_hmac.enable();
 sp.log_media("syslog");

src/tests/config/syslog_simulation.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");
 sp.unserialize_hmac.enable().simulation();
 sp.log_media("syslog");

src/tests/cookies_encryption/config/config_encrypted_cookies.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("super_cookie").encrypt();
 sp.auto_cookie_secure.enable();

src/tests/cookies_encryption/config/config_encrypted_cookies_empty_env.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef").cookie_env_var("SUPER_ENV_VAR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("SUPER_ENV_VAR");
 sp.cookie.name("super_cookie").encrypt();

src/tests/cookies_encryption/config/config_encrypted_cookies_simulation.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("super_cookie").encrypt().simulation();
 sp.auto_cookie_secure.enable();

src/tests/cookies_encryption/config/config_encrypted_regexp_cookies.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name_r("^super_co[a-z]+$").encrypt();
 sp.auto_cookie_secure.enable();

src/tests/cookies_encryption/config/config_encrypted_regexp_cookies_empty_env.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name_r("^super_coo[a-z]+$").encrypt();

src/tests/cookies_encryption/config/encryption_key_only.ini

@@ -1 +1 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");

src/tests/cookies_encryption/encrypt_cookies.phpt

@@ -5,7 +5,7 @@ Cookie decryption in ipv4
 --INI--
 sp.configuration_file={PWD}/config/config_encrypted_cookies.ini
 --COOKIE--
-super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value;
+super_cookie=IpRZV4rivSjANrEOSxINd%2FdFe17giJgaAAAAAAAAAAAAAAAAAAAAALnmBVs%2BTILKxauHeGcUyJpR%2BX2UiZ6OamUTaWc=;awful_cookie=awful_cookie_value;
 --ENV--
 return <<<EOF
 REMOTE_ADDR=127.0.0.1

src/tests/cookies_encryption/encrypt_cookies3.phpt

@@ -5,7 +5,7 @@ Cookie decryption with ipv6
 --INI--
 sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
 --COOKIE--
-super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM84SCotZTpP6b27Lr5lavORPMvqaKpcUahvxw=;awful_cookie=awful_cookie_value;
+super_cookie=eFXrR4GCQtT4Q7%2FLRVtDBH44aMC4hI33AAAAAAAAAAAAAAAAAAAAAGrtoM2Mltxj8%2B9dELwitKN42C8ZE1kYX%2BKWwjM%3D;awful_cookie=awful_cookie_value;
 --ENV--
 return <<<EOF
 REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329

src/tests/cookies_encryption/encrypt_regexp_cookies.phpt

@@ -5,7 +5,7 @@ Cookie decryption in ipv4
 --INI--
 sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
 --COOKIE--
-super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP3gV9YJZL/pUeNAjCKFW0U2ywmf1CwHzwd2pWM=;awful_cookie=awful_cookie_value;
+super_cookie=IpRZV4rivSjANrEOSxINd%2FdFe17giJgaAAAAAAAAAAAAAAAAAAAAALnmBVs%2BTILKxauHeGcUyJpR%2BX2UiZ6OamUTaWc=;awful_cookie=awful_cookie_value;
 --ENV--
 return <<<EOF
 REMOTE_ADDR=127.0.0.1

src/tests/cookies_encryption/encrypt_regexp_cookies3.phpt

@@ -5,7 +5,7 @@ Cookie decryption with ipv6
 --INI--
 sp.configuration_file={PWD}/config/config_encrypted_regexp_cookies.ini
 --COOKIE--
-super_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM84SCotZTpP6b27Lr5lavORPMvqaKpcUahvxw=;awful_cookie=awful_cookie_value;
+super_cookie=mzOxoJ9o9Y83iYX15DkJmYrW%2FrJfyB2SAAAAAAAAAAAAAAAAAAAAAKe5DegjtjwoFZirOY4LO6jSlqtZdF%2FUMriwn8w=;awful_cookie=awful_cookie_value;
 --ENV--
 return <<<EOF
 REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329

src/tests/cookies_encryption_warning/config/encrypt_cookies_no_env.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");
 sp.cookie.name("super_cookie").encrypt();

src/tests/cookies_encryption_warning/config/encrypt_regexp_cookies_no_env.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");
 sp.cookie.name_r("^super_co[a-z]+$").encrypt();

src/tests/cookies_php8/config/config_encrypted_cookies.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.cookie.name("super_cookie").encrypt();
 sp.auto_cookie_secure.enable();

src/tests/session_encryption/config/config_crypt_session.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.session.encrypt();

src/tests/session_encryption/config/config_crypt_session_simul.ini

@@ -1,3 +1,3 @@
-sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR");
+sp.global.secret_key("abcdefGHIJ").cookie_env_var("REMOTE_ADDR");
 sp.session.encrypt();
 sp.session.simulation();

src/tests/unserialize/config/config_serialize.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");
 sp.unserialize_hmac.enable();

src/tests/unserialize/config/config_serialize_sim.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");
 sp.unserialize_hmac.enable().simulation();

src/tests/unserialize/config/dump_unserialize.ini

@@ -1,2 +1,2 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");
 sp.unserialize_hmac.enable().dump("/tmp/dump_result/");

src/tests/unserialize/serialize.phpt

@@ -9,5 +9,5 @@ sp.configuration_file={PWD}/config/config_serialize.ini
 echo serialize("a");
 ?>
 --EXPECT--
-s:1:"a";650609b417904d0d9bbf1fc44a975d13ecdf6b02b715c1a06271fb3b673f25b1
+s:1:"a";cdbc93e593656164d448db33e4668a3f30fa794d6658016365f7eb453d48b022
 

src/tests/unserialize/unserialize_sim.phpt

@@ -7,12 +7,13 @@ sp.configuration_file={PWD}/config/config_serialize_sim.ini
 --FILE--
 <?php 
 $a=serialize("a");
-echo $a;
+echo $a . PHP_EOL;
 var_dump(unserialize($a));
 var_dump(unserialize('s:1:"a";alyualskdufyhalkdjsfhalkjdhflaksjdfhlkasdhflkahdawkuerylksjdfhlkssjgdflaksjdh1337sjdf'));
 ?>
 --EXPECTF--
-s:1:"a";650609b417904d0d9bbf1fc44a975d13ecdf6b02b715c1a06271fb3b673f25b1string(1) "a"
+s:1:"a";cdbc93e593656164d448db33e4668a3f30fa794d6658016365f7eb453d48b022
+string(1) "a"
 
 Warning: [snuffleupagus][0.0.0.0][unserialize][simulation] Invalid HMAC for s:1:"a";alyualskdufyhalkdjsfh in %a/unserialize_sim.php on line 5
 string(1) "a"

src/tests/unserialize_php8/config/config_serialize.ini

@@ -1 +1 @@
-sp.global.secret_key("abcdef");
+sp.global.secret_key("abcdefGHIJ");