🌍
English
Announcement
- [2024-04-17] Piwigo 14.4.0
- [2024-04-01] Piwigo in Hobbit runes
- [2024-03-01] Piwigo 14.3.0
- [2024-01-30] Piwigo 14.2.0
- [2023-12-29] Piwigo 14.1.0
#1 2021-01-20 17:06:35
- esbeeb
- Member
- 2021-01-20
- 9
[resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames
Hello,
I'm trying to understand why there are a bunch of .js files with ugly, random filenames getting automatically generated in my /_data/combined/
The js code inside them is heavily obfuscated, with all whitespace removed! Is that really necessary? Does that removal of whitespace speed up downloads by a whopping 1%? Can this dodgy-looking mechanism be explained, please? When I see so-called "data" (which ends up being **code**, not data) which is *not* in the database, that to me is a red flag, since I would expect all "data" to be in the *database*, not out in the filesystem. If it's some sort of cache, then perhaps the folder name "_data" should be renamed "cache"?
This obfuscated javascript code looks like a hacker's delight - it looks to me like a very juicy opportunity to hide malicious code there, and since it's not human readable, nobody would notice.
Please, assure me that the strange goings-on inside /_data/combined/ are somehow actually valuable.
Even if this mechanism is somehow unavoidable, according to your rationale, oh Piwigo devs, then I submit for your consideration an opportunity to harden up the security, of the slightly random filenames you are using within /_data/combined/. The filenames are 7 characters (not including .js extensions), being either numbers, or lowercase letters. This amount of randomness in your filenames is very low "entropy" (which is to say, the security is "Poor"), when measured by a password-testing utility such as KeepassXC:
If you were wanting instead an "Excellent" amount of entropy, then consider having 23-character filenames (not including .js extension):
Note: you can get away with "Excellent" entropy in 18-character filenames, if you would be willing to use a mixture of upper and lowercase characters:
Piwigo 11.0.0 Check for upgrade
Operating system: Linux
PHP: 7.4.3 (Show info) [2021-01-20 08:51:27]
MySQL: 5.5.5-10.3.25-MariaDB-0ubuntu0.20.04.1 [2021-01-20 08:51:27]
Graphics Library: GD 2.2.5
Piwigo URL: http://
Last edited by esbeeb (2021-01-20 17:11:50)
Offline
#2 2021-01-20 18:05:21
- erAck
- Only trying to help
- 2015-09-06
- 2031
Re: [resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames
There is no connection between random file names and password entropy. The combined .js files exist to cache code generated from templates, any random file name is as good as any other as long as they don't clash. There's also no "security" value involved. You're confusing things.
Running Piwigo at https://erack.net/gallery/
Offline
#3 2021-01-20 18:51:55
- esbeeb
- Member
- 2021-01-20
- 9
Re: [resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames
OK, thanks for setting me at ease.
Offline
#4 2021-01-21 07:38:59
- nicolas
- Former Piwigo Team
- 2004-12-30
- 1232
Re: [resolved] Security flaw? Poor entropy /_data/combined/*.js random filenames
You're absolutly right, the _data directory is a cache. And you can change its name overriding it in local/config/config.inc.php file by adding :
Code:
$conf['data_location'] = 'cache/'; // or whatever filename you want
Offline