You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 Re: FluxBB discussion » FluxBB 2.0 - couple ideas » 2010-12-28 18:51:52
- Ruckus
Ruckus wrote:Edit: What is used for the salt doesn't matter, my main point was to use a per user salt rather than only a global salt. I hadn't seen that concept mentioned yet in this thread, perhaps I simply missed it.
I think we were referring to per-user salts the whole time, even though we didn't mention them explicitly. At least that's what I understood
Ah I apologize then. I was reminded of this thread when I saw the Mozilla announcement today, so I thought I'd chime in.
#2 Re: FluxBB discussion » FluxBB 2.0 - couple ideas » 2010-12-28 17:13:18
- Ruckus
The global salt doesn't add any more security to the scheme, just more complexity.
Also, using the time the account was created makes for a slightly weaker salt than an actual string of random characters (assuming a UNIX timestamp, which only has resolution down to seconds and is a fixed size).
You are right about the global salt, I generally only use the timestamp because it's readily available in the database and already associated with a user. I'm not sure how it would be weaker though. The entire idea behind hashing is that even a small change (1bit) in the input produces a vastly different output. One issue I could possibly see is if two users happened to sign up at the same exact second. To avoid this, you could use microtime to provide a higher resolution salt.
I only suggest using the account creation time to avoid having to have another field in the profile table, as well as having to generate a random string as the salt, which isn't a bad idea either if you want to take the extra 20 minutes to implement it that way.
Edit: What is used for the salt doesn't matter, my main point was to use a per user salt rather than only a global salt. I hadn't seen that concept mentioned yet in this thread, perhaps I simply missed it.
#3 Re: FluxBB discussion » FluxBB 2.0 - couple ideas » 2010-12-28 16:13:18
- Ruckus
I just thought I'd point this out as it's relevant to the discussion at hand: http://blog.mozilla.com/security/2010/1 … isclosure/
I suggest using two salts, a global salt as well as a per-user salt. A per user salt adds security because an attacker would then have to re-generate the rainbow table database for each user they want to attack, rather than just generate them once for the entire database using the global salt.
I generally use the time that the account was created as a per-user salt.
This is a really good read about the subject as well: http://chargen.matasano.com/chargen/200 … out-s.html
#4 Re: Announcements » FluxBB direction - incremental vs major » 2010-07-24 23:56:05
- Ruckus
I would be very interested in helping with a 2.0 rewrite. With a proper template engine and extension system FluxBB could be a major competitor with other forum software while remaining small and light-weight at it's core. I also think the current dev team is a lot stronger and more organized than what we've seen in the past.
#5 Re: Core development » 2.0 Ideas » 2009-09-05 11:10:28
- Ruckus
I'd like to see FluxBB go more OOP for 2.0. I think this would help a lot with extensions as well. You would have a basic extension class that each extension would extend. You then put all of these extensions in an extension folder, have a requirement that all extensions be named the same as their file name. You could then instantiate the class based the file name of the PHP file:
This is the same basic approach I took when working on MOOPF, (My Object Oriented PHP Framework). http://github.com/GeorgeMH/moopf/tree/master
//
// Load all php files inside of directory as modules.
// $modules is passed as reference
//
public function loadModuleDir($modDir, &$modules){
if(!is_array($modules))
$modules = array();
if(!is_dir($modDir))
throw new Exception('Module directory \''.$modDir.'\' does not exist. Please check the moopf configuration.');
$files = glob($modDir.'*.php');
if(!$files){
$files = array();
}
foreach($files as $file){ // load modules
$name = substr(basename($file), 0, -4);
require($file);
$modules[$name] = new $name($this->req);
}
}You can see an example module extending the basic module class.
This would solve the use of using eval() to execute actual extension code, speed things up and make them a bit more organized. You would probably use an XML based config file for each module similar to the one 1.3 used. You should note that moopf was just a simple idea of creating an entirely OOP driven PHP frame work I wanted to explore when working on my personal website. It includes a basic template system as well. I'm not suggesting you use it for FluxBB, just simply a similar approach of using OOP principals more. From a brief glance, the webpy project FSX linked to is similar as well.
#6 Re: Programming » Determine file type » 2009-02-10 12:17:11
- Ruckus
I use this function. It attempts to use the FileInfo module if its loaded, otherwise it trys the mime_content_type, and as a fall back it uses a shell command. Because of what I'm using the function for, it takes some special cases into account and returns specific mime types if the extensions match.
public function getMimeType($file){
$type = 'application/octet-stream';
if(function_exists('finfo_open')){ // Pecl
$finfo = finfo_open(FILEINFO_MIME);
$type = finfo_file($finfo, $file);
finfo_close($finfo);
}elseif(function_exists('mime_content_type')){ //attempt deprecated mime_content_type
$type = mime_content_type($file);
}else{ //attempt to use a shell command
$type = shell_exec('file -i -b '.escapeshellarg($file));
$type = explode(' ', $type);
if(is_array($type))
$type = $type[0];
}
if(substr($type, 0, 5) == 'text/'){
$ext = strtolower(substr($file, strrpos($file, '.')));
if($ext == '.php'){
$type = 'application/x-httpd-php';
}elseif($ext == '.phps'){
$type = 'application/x-httpd-php-source';
}elseif($ext == '.css'){
$type = 'text/css';
}elseif($ext == '.js'){
$type = 'text/javascript';
}
}
return $type;
}#7 Re: General discussion » 1.3 query builder question » 2009-01-05 06:56:33
- Ruckus
I thought that was probably the case. I was just curious as all the code snippets I've seen for extensions seem to have a severe dislike for the likes of $db->escape.
Sounds like some insecure extensions to me. 
#8 Re: General discussion » Copyright question » 2009-01-05 04:53:34
- Ruckus
I have included some code from FluxBB into my project, I want to make sure I followed all of the guidelines:
http://git.georgemh.com/?p=ezphp.git;a= … c5;hb=HEAD
That is all that is needed correct?
Pages: 1