12 files changed, 324 insertions, 18 deletions
diff --git a/engine/classes/ElggCrypto.php b/engine/classes/ElggCrypto.php
new file mode 100644
index 000000000..317d371e4
--- /dev/null
+++ b/engine/classes/ElggCrypto.php
@@ -0,0 +1,208 @@
+<?php
+/**
+ * ElggCrypto
+ *
+ * @package    Elgg.Core
+ * @subpackage Crypto
+ *
+ * @access private
+ */
+class ElggCrypto {
+
+	/**
+	 * Character set for temp passwords (no risk of embedded profanity/glyphs that look similar)
+	 */
+	const CHARS_PASSWORD = 'bcdfghjklmnpqrstvwxyz2346789';
+
+	/**
+	 * Generate a string of highly randomized bytes (over the full 8-bit range).
+	 *
+	 * @param int $length Number of bytes needed
+	 * @return string Random bytes
+	 *
+	 * @author George Argyros <argyros.george@gmail.com>
+	 * @copyright 2012, George Argyros. All rights reserved.
+	 * @license Modified BSD
+	 * @link https://github.com/GeorgeArgyros/Secure-random-bytes-in-PHP/blob/master/srand.php Original
+	 *
+	 * Redistribution and use in source and binary forms, with or without
+	 * modification, are permitted provided that the following conditions are met:
+	 *    * Redistributions of source code must retain the above copyright
+	 *      notice, this list of conditions and the following disclaimer.
+	 *    * Redistributions in binary form must reproduce the above copyright
+	 *      notice, this list of conditions and the following disclaimer in the
+	 *      documentation and/or other materials provided with the distribution.
+	 *    * Neither the name of the <organization> nor the
+	 *      names of its contributors may be used to endorse or promote products
+	 *      derived from this software without specific prior written permission.
+	 *
+	 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+	 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+	 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+	 * DISCLAIMED. IN NO EVENT SHALL GEORGE ARGYROS BE LIABLE FOR ANY
+	 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+	 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+	 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+	 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+	 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+	 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+	 */
+	public function getRandomBytes($length) {
+		/**
+		 * Our primary choice for a cryptographic strong randomness function is
+		 * openssl_random_pseudo_bytes.
+		 */
+		$SSLstr = '4'; // http://xkcd.com/221/
+		if (function_exists('openssl_random_pseudo_bytes')
+				&& (version_compare(PHP_VERSION, '5.3.4') >= 0 || substr(PHP_OS, 0, 3) !== 'WIN')) {
+			$SSLstr = openssl_random_pseudo_bytes($length, $strong);
+			if ($strong) {
+				return $SSLstr;
+			}
+		}
+
+		/**
+		 * If mcrypt extension is available then we use it to gather entropy from
+		 * the operating system's PRNG. This is better than reading /dev/urandom
+		 * directly since it avoids reading larger blocks of data than needed.
+		 * Older versions of mcrypt_create_iv may be broken or take too much time
+		 * to finish so we only use this function with PHP 5.3.7 and above.
+		 * @see https://bugs.php.net/bug.php?id=55169
+		 */
+		if (function_exists('mcrypt_create_iv')
+				&& (version_compare(PHP_VERSION, '5.3.7') >= 0 || substr(PHP_OS, 0, 3) !== 'WIN')) {
+			$str = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
+			if ($str !== false) {
+				return $str;
+			}
+		}
+
+		/**
+		 * No build-in crypto randomness function found. We collect any entropy
+		 * available in the PHP core PRNGs along with some filesystem info and memory
+		 * stats. To make this data cryptographically strong we add data either from
+		 * /dev/urandom or if its unavailable, we gather entropy by measuring the
+		 * time needed to compute a number of SHA-1 hashes.
+		 */
+		$str = '';
+		$bits_per_round = 2; // bits of entropy collected in each clock drift round
+		$msec_per_round = 400; // expected running time of each round in microseconds
+		$hash_len = 20; // SHA-1 Hash length
+		$total = $length; // total bytes of entropy to collect
+
+		$handle = @fopen('/dev/urandom', 'rb');
+		if ($handle && function_exists('stream_set_read_buffer')) {
+			@stream_set_read_buffer($handle, 0);
+		}
+
+		do {
+			$bytes = ($total > $hash_len) ? $hash_len : $total;
+			$total -= $bytes;
+
+			//collect any entropy available from the PHP system and filesystem
+			$entropy = rand() . uniqid(mt_rand(), true) . $SSLstr;
+			$entropy .= implode('', @fstat(@fopen(__FILE__, 'r')));
+			$entropy .= memory_get_usage() . getmypid();
+			$entropy .= serialize($_ENV) . serialize($_SERVER);
+			if (function_exists('posix_times')) {
+				$entropy .= serialize(posix_times());
+			}
+			if (function_exists('zend_thread_id')) {
+				$entropy .= zend_thread_id();
+			}
+
+			if ($handle) {
+				$entropy .= @fread($handle, $bytes);
+			} else {
+				// Measure the time that the operations will take on average
+				for ($i = 0; $i < 3; $i++) {
+					$c1 = microtime(true);
+					$var = sha1(mt_rand());
+					for ($j = 0; $j < 50; $j++) {
+						$var = sha1($var);
+					}
+					$c2 = microtime(true);
+					$entropy .= $c1 . $c2;
+				}
+
+				// Based on the above measurement determine the total rounds
+				// in order to bound the total running time.
+				$rounds = (int) ($msec_per_round * 50 / (int) (($c2 - $c1) * 1000000));
+
+				// Take the additional measurements. On average we can expect
+				// at least $bits_per_round bits of entropy from each measurement.
+				$iter = $bytes * (int) (ceil(8 / $bits_per_round));
+
+				for ($i = 0; $i < $iter; $i++) {
+					$c1 = microtime();
+					$var = sha1(mt_rand());
+					for ($j = 0; $j < $rounds; $j++) {
+						$var = sha1($var);
+					}
+					$c2 = microtime();
+					$entropy .= $c1 . $c2;
+				}
+			}
+
+			// We assume sha1 is a deterministic extractor for the $entropy variable.
+			$str .= sha1($entropy, true);
+
+		} while ($length > strlen($str));
+
+		if ($handle) {
+			@fclose($handle);
+		}
+
+		return substr($str, 0, $length);
+	}
+
+	/**
+	 * Generate a random string of specified length.
+	 *
+	 * Uses supplied character list for generating the new string.
+	 * If no character list provided - uses Base64 URL character set.
+	 *
+	 * @param int         $length Desired length of the string
+	 * @param string|null $chars  Characters to be chosen from randomly. If not given, the Base64 URL
+	 *                            charset will be used.
+	 *
+	 * @return string The random string
+	 *
+	 * @throws InvalidArgumentException
+	 *
+	 * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
+	 * @license   http://framework.zend.com/license/new-bsd New BSD License
+	 *
+	 * @see https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L179
+	 */
+	public static function getRandomString($length, $chars = null) {
+		if ($length < 1) {
+			throw new InvalidArgumentException('Length should be >= 1');
+		}
+
+		if (empty($chars)) {
+			$numBytes = ceil($length * 0.75);
+			$bytes    = self::getRandomBytes($numBytes);
+			$string = substr(rtrim(base64_encode($bytes), '='), 0, $length);
+
+			// Base64 URL
+			return strtr($string, '+/', '-_');
+		}
+
+		$listLen = strlen($chars);
+
+		if ($listLen == 1) {
+			return str_repeat($chars, $length);
+		}
+
+		$bytes  = self::getRandomBytes($length);
+		$pos    = 0;
+		$result = '';
+		for ($i = 0; $i < $length; $i++) {
+			$pos     = ($pos + ord($bytes[$i])) % $listLen;
+			$result .= $chars[$pos];
+		}
+
+		return $result;
+	}
+}
diff --git a/engine/classes/ElggPlugin.php b/engine/classes/ElggPlugin.php
index 7bf6eb1df..545b9a53c 100644
--- a/engine/classes/ElggPlugin.php
+++ b/engine/classes/ElggPlugin.php
@@ -299,17 +299,15 @@ class ElggPlugin extends ElggObject {
 
 		$private_settings = get_data($q);
 
-		if ($private_settings) {
-			$return = array();
+		$return = array();
 
+		if ($private_settings) {
 			foreach ($private_settings as $setting) {
 				$return[$setting->name] = $setting->value;
 			}
-
-			return $return;
 		}
 
-		return false;
+		return $return;
 	}
 
 	/**
@@ -423,20 +421,18 @@ class ElggPlugin extends ElggObject {
 
 		$private_settings = get_data($q);
 
-		if ($private_settings) {
-			$return = array();
+		$return = array();
 
+		if ($private_settings) {
 			foreach ($private_settings as $setting) {
 				$name = substr($setting->name, $ps_prefix_len);
 				$value = $setting->value;
 
 				$return[$name] = $value;
 			}
-
-			return $return;
 		}
 
-		return false;
+		return $return;
 	}
 
 	/**
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 56936f582..8047914ac 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -364,16 +364,19 @@ function generate_action_token($timestamp) {
 }
 
 /**
- * Initialise the site secret hash.
+ * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL).
  *
  * Used during installation and saves as a datalist.
  *
+ * Note: Old secrets were hex encoded.
+ *
  * @return mixed The site secret hash or false
  * @access private
  * @todo Move to better file.
  */
 function init_site_secret() {
-	$secret = md5(rand() . microtime());
+	$secret = 'z' . ElggCrypto::getRandomString(31);
+
 	if (datalist_set('__site_secret__', $secret)) {
 		return $secret;
 	}
@@ -400,6 +403,26 @@ function get_site_secret() {
 }
 
 /**
+ * Get the strength of the site secret
+ *
+ * @return string "strong", "moderate", or "weak"
+ * @access private
+ */
+function _elgg_get_site_secret_strength() {
+	$secret = get_site_secret();
+	if ($secret[0] !== 'z') {
+		$rand_max = getrandmax();
+		if ($rand_max < pow(2, 16)) {
+			return 'weak';
+		}
+		if ($rand_max < pow(2, 32)) {
+			return 'moderate';
+		}
+	}
+	return 'strong';
+}
+
+/**
  * Check if an action is registered and its script exists.
  *
  * @param string $action Action name
diff --git a/engine/lib/admin.php b/engine/lib/admin.php
index 7f82108c0..f36f29668 100644
--- a/engine/lib/admin.php
+++ b/engine/lib/admin.php
@@ -236,6 +236,7 @@ function admin_init() {
 	elgg_register_action('admin/site/update_advanced', '', 'admin');
 	elgg_register_action('admin/site/flush_cache', '', 'admin');
 	elgg_register_action('admin/site/unlock_upgrade', '', 'admin');
+	elgg_register_action('admin/site/regenerate_secret', '', 'admin');
 
 	elgg_register_action('admin/menu/save', '', 'admin');
 
@@ -291,6 +292,7 @@ function admin_init() {
 	elgg_register_admin_menu_item('configure', 'settings', null, 100);
 	elgg_register_admin_menu_item('configure', 'basic', 'settings', 10);
 	elgg_register_admin_menu_item('configure', 'advanced', 'settings', 20);
+	elgg_register_admin_menu_item('configure', 'advanced/site_secret', 'settings', 25);
 	elgg_register_admin_menu_item('configure', 'menu_items', 'appearance', 30);
 	elgg_register_admin_menu_item('configure', 'profile_fields', 'appearance', 40);
 	// default widgets is added via an event handler elgg_default_widgets_init() in widgets.php
diff --git a/engine/lib/deprecated-1.7.php b/engine/lib/deprecated-1.7.php
index 519eea89d..ee95b5611 100644
--- a/engine/lib/deprecated-1.7.php
+++ b/engine/lib/deprecated-1.7.php
@@ -1137,6 +1137,7 @@ function make_register_object($register_name, $register_value, $children_array =
  * @param int $guid GUID
  *
  * @return 1
+ * @deprecated 1.7
  */
 function delete_object_entity($guid) {
 	system_message(elgg_echo('deprecatedfunction', array('delete_user_entity')));
@@ -1154,6 +1155,7 @@ function delete_object_entity($guid) {
  * @param int $guid User GUID
  *
  * @return 1
+ * @deprecated 1.7
  */
 function delete_user_entity($guid) {
 	system_message(elgg_echo('deprecatedfunction', array('delete_user_entity')));
diff --git a/engine/lib/deprecated-1.8.php b/engine/lib/deprecated-1.8.php
index 6aa42a81d..91068d047 100644
--- a/engine/lib/deprecated-1.8.php
+++ b/engine/lib/deprecated-1.8.php
@@ -3414,6 +3414,7 @@ function list_annotations($entity_guid, $name = "", $limit = 25, $asc = true) {
  * @param unknown_type $timeupper
  * @param unknown_type $calculation
  * @internal Don't use this at all.
+ * @deprecated 1.8 Use elgg_get_annotations()
  */
 function elgg_deprecated_annotation_calculation($entity_guid = 0, $entity_type = "", $entity_subtype = "",
 $name = "", $value = "", $value_type = "", $owner_guid = 0, $timelower = 0,
@@ -4667,6 +4668,7 @@ function display_widget(ElggObject $widget) {
  *
  * @param ElggEntity $entity
  * @return int Number of comments
+ * @deprecated 1.8 Use ElggEntity->countComments()
  */
 function elgg_count_comments($entity) {
 	elgg_deprecated_notice('elgg_count_comments() is deprecated by ElggEntity->countComments()', 1.8);
diff --git a/engine/lib/memcache.php b/engine/lib/memcache.php
index f79fba4a9..79b87e850 100644
--- a/engine/lib/memcache.php
+++ b/engine/lib/memcache.php
@@ -35,3 +35,23 @@ function is_memcache_available() {
 
 	return $memcache_available;
 }
+
+/**
+ * Invalidate an entity in memcache
+ *
+ * @param int $entity_guid The GUID of the entity to invalidate
+ *
+ * @return void
+ * @access private
+ */
+function _elgg_invalidate_memcache_for_entity($entity_guid) {
+	static $newentity_cache;
+	
+	if ((!$newentity_cache) && (is_memcache_available())) {
+		$newentity_cache = new ElggMemcache('new_entity_cache');
+	}
+	
+	if ($newentity_cache) {
+		$newentity_cache->delete($entity_guid);
+	}
+}
+\ No newline at end of file
diff --git a/engine/lib/notification.php b/engine/lib/notification.php
index b6399b3c6..2506867d5 100644
--- a/engine/lib/notification.php
+++ b/engine/lib/notification.php
@@ -110,12 +110,15 @@ function notify_user($to, $from, $subject, $message, array $params = NULL, $meth
 			// Are we overriding delivery?
 			$methods = $methods_override;
 			if (!$methods) {
-				$tmp = (array)get_user_notification_settings($guid);
+				$tmp = get_user_notification_settings($guid);
 				$methods = array();
-				foreach ($tmp as $k => $v) {
-					// Add method if method is turned on for user!
-					if ($v) {
-						$methods[] = $k;
+				// $tmp may be false. don't cast
+				if (is_array($tmp)) {
+					foreach ($tmp as $k => $v) {
+						// Add method if method is turned on for user!
+						if ($v) {
+							$methods[] = $k;
+						}
 					}
 				}
 			}
diff --git a/engine/lib/output.php b/engine/lib/output.php
index 6172a5c8d..de4f911fb 100644
--- a/engine/lib/output.php
+++ b/engine/lib/output.php
@@ -421,6 +421,25 @@ function _elgg_html_decode($string) {
 }
 
 /**
+ * Prepares query string for output to prevent CSRF attacks.
+ * 
+ * @param string $string
+ * @return string
+ *
+ * @access private
+ */
+function _elgg_get_display_query($string) {
+	//encode <,>,&, quotes and characters above 127
+	if (function_exists('mb_convert_encoding')) {
+		$display_query = mb_convert_encoding($string, 'HTML-ENTITIES', 'UTF-8');
+	} else {
+		// if no mbstring extension, we just strip characters
+		$display_query = preg_replace("/[^\x01-\x7F]/", "", $string);
+	}
+	return htmlspecialchars($display_query, ENT_QUOTES, 'UTF-8', false);
+}
+
+/**
  * Unit tests for Output
  *
  * @param string  $hook   unit_test
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index fb28e1e9a..e3d5ce9cd 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -326,6 +326,12 @@ function login(ElggUser $user, $persistent = false) {
 	set_last_login($_SESSION['guid']);
 	reset_login_failure_count($user->guid); // Reset any previous failed login attempts
 
+	// if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
+	if (is_memcache_available()) {
+		// this needs to happen with a shutdown function because of the timing with set_last_login()
+		register_shutdown_function("_elgg_invalidate_memcache_for_entity", $_SESSION['guid']);
+	}
+	
 	return true;
 }
 
diff --git a/engine/lib/system_log.php b/engine/lib/system_log.php
index 5a153afb2..84302632e 100644
--- a/engine/lib/system_log.php
+++ b/engine/lib/system_log.php
@@ -187,7 +187,16 @@ function system_log($object, $event) {
 		$object_subtype = $object->getSubtype();
 		$event = sanitise_string($event);
 		$time = time();
-		$ip_address = sanitise_string($_SERVER['REMOTE_ADDR']);
+
+		if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
+			$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']));
+		} elseif (!empty($_SERVER['HTTP_X_REAL_IP'])) {
+			$ip_address = array_pop(explode(',', $_SERVER['HTTP_X_REAL_IP']));
+		} else {
+			$ip_address = $_SERVER['REMOTE_ADDR'];
+		}
+		$ip_address = sanitise_string($ip_address);
+
 		$performed_by = elgg_get_logged_in_user_guid();
 
 		if (isset($object->access_id)) {
diff --git a/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
new file mode 100644
index 000000000..538d74dd6
--- /dev/null
+++ b/engine/lib/upgrades/2013060900-1.8.15-site_secret-404fc165cf9e0ac9.php
@@ -0,0 +1,16 @@
+<?php
+/**
+ * Elgg 1.8.15 upgrade 2013060900
+ * site_secret
+ *
+ * Description
+ */
+
+$strength = _elgg_get_site_secret_strength();
+
+if ($strength !== 'strong') {
+	// a new key is needed immediately
+	register_translations(elgg_get_root_path() . 'languages/');
+
+	elgg_add_admin_notice('weak_site_key', elgg_echo("upgrade:site_secret_warning:$strength"));
+}