View Issue Details

IDProjectCategoryView StatusLast Update
15069Bug reports[All Projects] Installationpublic2019-07-28 10:36
ReportercmrudolphAssigned ToDenisChenu 
PrioritynoneSeverityminor 
Status resolvedResolutionfixed 
Product Version3.17.x 
Target VersionFixed in Version3.17.x 
Summary15069: setting admin password with CLI database installation fails
Description

When using the CLI installation script
php console.php installfromconfig ../config/config.php
the admin password gets written to the database unhashed making the login credentials unusable.

Steps To Reproduce

Configure limesurvey manually (configure webserver, extract directory, create database user, adjust application/config/config.php) and run
php console.php installfromconfig ../config/config.php

Look into the database table users.

Additional Information

The bug is located in file limesurvey/application/commands/InstallFromConfigCommand.php on line 101:
'password'=>$this->configuration['config']['defaultpass']

This line should be
$data[1]'password'=>password_hash($this->configuration['config']['defaultpass'], PASSWORD_DEFAULT)

TagsNo tags attached.
Complete LimeSurvey version number (& build)3.17.8 190722
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Versionpostgresql 11
Server OS (if known)
Webserver software & version (if known)
PHP Version7.3

Activities

ollehar

ollehar

2019-07-23 14:44

administrator   ~52960

It's not clear if this ticket is for LS3 or LS4.

cmrudolph

cmrudolph

2019-07-24 06:29

reporter   ~52970

I'm not really sure - I downloaded and installed "limesurvey3.17.8+190722.tar.gz" but the installation claims to be 4.0.0-RC1 build 190722. Maybe a packaging issue?

DenisChenu

DenisChenu

2019-07-24 10:43

developer   ~52975

Issue in 3.17 : https://github.com/LimeSurvey/LimeSurvey/blob/71de5ce107acd4a02ad8376cc704aaf83e607b86/application/commands/InstallFromConfigCommand.php#L101

(But : in my opinion, must always use model to create user)

ollehar

ollehar

2019-07-24 10:52

administrator   ~52977

Download the package again, please. We had an error in our release before.

cmrudolph

cmrudolph

2019-07-24 13:32

reporter   ~52983

Downloaded the package again - the problem still exists. Affected version is 3.17.8 build 190722. I don't see any option to change this information in the ticket.
I fully agree with DenisChenu that the user should be created using a model object. But the quickest fix for this issue is the one mentioned in the ticket under "additional information", to handle the password like in InstallCommand.

ollehar

ollehar

2019-07-24 13:34

administrator   ~52984

Models should not be used during installation, due to problems with database cache.

cmrudolph

cmrudolph

2019-07-24 14:26

reporter   ~52985

However, it's obvious that the script doesn't run in a valid application context which has its own complexity. This makes it hard to implement a robust installation script and might be the reason, why this approach has been chosen.
In addition I'd like to mention that commit 0d50c82 removed the password_hash function call to "fix" the InstallFromConfig script. I didn't find an associated ticket with it.

DenisChenu

DenisChenu

2019-07-24 14:56

developer   ~52986

@cmrudolph : can you check with 'password'=>password_hash($this->configuration['defaultpass'], PASSWORD_DEFAULT), and make a pull request ?

cmrudolph

cmrudolph

2019-07-25 07:33

reporter   ~52993

Done. See my pull request at https://github.com/LimeSurvey/LimeSurvey/pull/1309
Hope pr on master is ok...
Build broke on php7.1, but this seems to be an environment problem.

Installation from config works now as expected.

cmrudolph

cmrudolph

2019-07-25 07:36

reporter   ~52994

An additional question, before merge. Could it be, that the observed behavior is intended to prevent the cleartext passwords from being inside the configuration file? This should be documented if it is the case.

DenisChenu

DenisChenu

2019-07-25 08:56

developer   ~52995

I don't think : default password are password from config-default, and user get an alert.

DenisChenu

DenisChenu

2019-07-28 10:36

developer   ~53029

https://github.com/LimeSurvey/LimeSurvey/commit/8bacdc9cb0c75a6b4639642e51cd7df83271635f

Issue History

Date Modified Username Field Change
2019-07-23 14:02 cmrudolph New Issue
2019-07-23 14:44 ollehar Note Added: 52960
2019-07-23 14:44 ollehar Assigned To => ollehar
2019-07-23 14:44 ollehar Status new => feedback
2019-07-23 14:44 ollehar Assigned To ollehar =>
2019-07-24 06:29 cmrudolph Note Added: 52970
2019-07-24 06:29 cmrudolph Status feedback => new
2019-07-24 10:43 DenisChenu Note Added: 52975
2019-07-24 10:52 ollehar Note Added: 52977
2019-07-24 13:32 cmrudolph Note Added: 52983
2019-07-24 13:34 ollehar Note Added: 52984
2019-07-24 14:26 cmrudolph Note Added: 52985
2019-07-24 14:55 DenisChenu Complete LimeSurvey version number (& build) 4.0.0-RC1 (build 190722) => 3.17.8 190722
2019-07-24 14:56 DenisChenu Note Added: 52986
2019-07-25 07:33 cmrudolph Note Added: 52993
2019-07-25 07:36 cmrudolph Note Added: 52994
2019-07-25 08:56 DenisChenu Note Added: 52995
2019-07-28 10:36 DenisChenu Assigned To => DenisChenu
2019-07-28 10:36 DenisChenu Status new => resolved
2019-07-28 10:36 DenisChenu Resolution open => fixed
2019-07-28 10:36 DenisChenu Fixed in Version => 3.17.x
2019-07-28 10:36 DenisChenu Note Added: 53029