From 552499e0533ce54b55f4304b41ca6cd7ccce51f8 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Thu, 17 Oct 2024 11:11:59 +0200
Subject: [PATCH] fixes GHSA-hghg-37rg-7r42 increase security on secret_key

---
 install.php                 |  2 +-
 install/db/174-database.php | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 install/db/174-database.php

diff --git a/install.php b/install.php
index 5b34727d6..7e5ff8001 100644
--- a/install.php
+++ b/install.php
@@ -351,7 +351,7 @@ define(\'DB_COLLATE\', \'\');
 
     $query = '
 INSERT INTO '.$prefixeTable.'config (param,value,comment) 
-   VALUES (\'secret_key\',md5('.pwg_db_cast_to_text(DB_RANDOM_FUNCTION.'()').'),
+   VALUES (\'secret_key\',\''.sha1(random_bytes(1000)).'\'),
    \'a secret key specific to the gallery for internal use\');';
     pwg_query($query);
 
diff --git a/install/db/174-database.php b/install/db/174-database.php
new file mode 100644
index 000000000..f2071c0ee
--- /dev/null
+++ b/install/db/174-database.php
@@ -0,0 +1,20 @@
+<?php
+// +-----------------------------------------------------------------------+
+// | This file is part of Piwigo.                                          |
+// |                                                                       |
+// | For copyright and license information, please view the COPYING.txt    |
+// | file that was distributed with this source code.                      |
+// +-----------------------------------------------------------------------+
+
+if (!defined('PHPWG_ROOT_PATH'))
+{
+  die('Hacking attempt!');
+}
+
+$upgrade_description = 'increase security on secret_key';
+
+conf_update_param('secret_key', sha1(random_bytes(1000)), true);
+
+echo "\n".$upgrade_description."\n";
+
+?>
\ No newline at end of file