Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21131

Regression - %secret% key should be generated at install/update

    XMLWordPrintable

    Details

      Description

      Regression:

      Currently we have in parameters.yml:

      parameters:
          secret: ThisTokenIsNotSoSecretChangeIt
      

      This is not secure at all and should be changed at install/update time.

      Can be done at the step where legacy settings are dumped into YAML and with a composer install/update command like it's done in Symfony standard.

      To reproduce make a clean installation with any site access verify that when you get to the "Finish" page the links will throw error 503
      Go to terminal, open "<your-site>/ezpublish/config/parameters.yml" and verify that there is "secret: null"

      On symfony debug i got "LogicException: CSRF protection needs a secret to be set" error:

      
          in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php line 155
          at FrameworkExtension->registerFormConfiguration(array('secret' => null, 'form' => array('enabled' => true), 'csrf_protection' => array('enabled' => true, 'field_name' => 'ezxform_token'), 'esi' => array('enabled' => true), 'fragments' => array('enabled' => true, 'path' => '/_fragment'), 'router' => array('resource' => '/var/www/ezp5/ezpublish/config/routing_dev.yml', 'http_port' => '80', 'https_port' => '443', 'strict_requirements' => true), 'session' => array('auto_start' => false, 'storage_id' => 'session.storage.native', 'handler_id' => 'session.handler.native_file', 'save_path' => '%kernel.cache_dir%/sessions'), 'templating' => array('engines' => array('twig', 'eztpl'), 'assets_version' => null, 'assets_version_format' => '%%s?%%s', 'hinclude_default_template' => null, 'form' => array('resources' => array('FrameworkBundle:Form')), 'assets_base_urls' => array('http' => array(*DEEP NESTED ARRAY*), 'ssl' => array(*DEEP NESTED ARRAY*)), 'loaders' => array(*DEEP NESTED ARRAY*), 'packages' => array(*DEEP NESTED ARRAY*)), 'translator' => array('enabled' => true, 'fallback' => 'en'), 'validation' => array('enabled' => true, 'enable_annotations' => true, 'translation_domain' => 'validators'), 'profiler' => array('enabled' => true, 'only_exceptions' => false, 'only_master_requests' => false, 'dsn' => 'file:%kernel.cache_dir%/profiler', 'username' => '', 'password' => '', 'lifetime' => '86400'), 'charset' => null, 'trust_proxy_headers' => false, 'trusted_proxies' => array(*DEEP NESTED ARRAY*), 'ide' => null, 'default_locale' => 'en', 'annotations' => array(*DEEP NESTED ARRAY*)), object(ContainerBuilder), object(XmlFileLoader)) in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php line 85
          at FrameworkExtension->load(array(array('esi' => null, 'fragments' => null, 'translator' => array('fallback' => 'en'), 'secret' => null, 'router' => array('resource' => '/var/www/ezp5/ezpublish/config/routing.yml'), 'form' => true, 'csrf_protection' => array('enabled' => true, 'field_name' => 'ezxform_token'), 'validation' => array('enable_annotations' => true), 'templating' => array('engines' => array('twig', 'eztpl')), 'session' => null), array('router' => array('resource' => '/var/www/ezp5/ezpublish/config/routing_dev.yml'), 'profiler' => array('only_exceptions' => false))), object(ContainerBuilder)) in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Component/DependencyInjection/Compiler/MergeExtensionConfigurationPass.php line 50
          at MergeExtensionConfigurationPass->process(object(ContainerBuilder)) in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/DependencyInjection/MergeExtensionConfigurationPass.php line 39
          at MergeExtensionConfigurationPass->process(object(ContainerBuilder)) in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Component/DependencyInjection/Compiler/Compiler.php line 119
          at Compiler->compile(object(ContainerBuilder)) in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Component/DependencyInjection/ContainerBuilder.php line 559
          at ContainerBuilder->compile() in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php line 666
          at Kernel->buildContainer() in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php line 558
          at Kernel->initializeContainer() in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php line 141
          at Kernel->boot() in /var/www/ezp5/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php line 196
          at Kernel->handle(object(Request)) in /var/www/ezp5/web/index.php line 59
      
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                marcos.loureiro@ez.no Marcos Loureiro (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 hours
                  3h