Merge pull request #821 from davgothic/toggle-key-permissions-check

Add toggle to disable key permissions check for 5.1.*

.travis.yml

@@ -12,7 +12,6 @@ php:
   - 5.6
   - 7.0
   - 7.1
-  - hhvm
 
 install:
   - travis_retry composer install --no-interaction --prefer-source

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 5.1.5 (released 2017-07-11)
+
+To address feedback from the security release the following two changes have been made:
+
+* If an RSA key cannot be `chmod`'ed to 600 then it will now throw a `E_USER_NOTICE` instead of an exception.
+* Not using the new encryption key method on `AuthorizationServer` will set throw an `E_USER_DEPRECATED` message instead of an error.
+
 ## 5.1.4 (released 2017-07-01)
 
 * Fixed multiple security vulnerabilities as a result of a security audit paid for by the [Mozilla Secure Open Source Fund](https://wiki.mozilla.org/MOSS/Secure_Open_Source). All users of this library are encouraged to update as soon as possible to this version or version 6.0 or greater.

README.md

@@ -1,5 +1,11 @@
 # PHP OAuth 2.0 Server
 
+### :warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:
+### Security Notice 
+
+### Please upgrade to version `>=5.1.4` (backwards compatible) or `6.x` (one tiny breaking change) to fix some potential security vulnerabilities 
+### :warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:
+
 [![Latest Version](http://img.shields.io/packagist/v/league/oauth2-server.svg?style=flat-square)](https://github.com/thephpleague/oauth2-server/releases)
 [![Software License](https://img.shields.io/badge/license-MIT-brightgreen.svg?style=flat-square)](LICENSE.md)
 [![Build Status](https://img.shields.io/travis/thephpleague/oauth2-server/master.svg?style=flat-square)](https://travis-ci.org/thephpleague/oauth2-server)

src/AuthorizationServer.php

@@ -139,7 +139,7 @@ class AuthorizationServer implements EmitterAwareInterface
 
         if ($this->encryptionKey === null) {
             // @codeCoverageIgnoreStart
-            error_log(self::ENCRYPTION_KEY_ERROR);
+            trigger_error(self::ENCRYPTION_KEY_ERROR, E_USER_DEPRECATED);
             // @codeCoverageIgnoreEnd
         }
         $grantType->setEncryptionKey($this->encryptionKey);
@@ -161,7 +161,7 @@ class AuthorizationServer implements EmitterAwareInterface
     {
         if ($this->encryptionKey === null) {
             // @codeCoverageIgnoreStart
-            error_log(self::ENCRYPTION_KEY_ERROR);
+            trigger_error(self::ENCRYPTION_KEY_ERROR, E_USER_DEPRECATED);
             // @codeCoverageIgnoreEnd
         }
 

src/CryptKey.php

@@ -29,8 +29,9 @@ class CryptKey
     /**
      * @param string      $keyPath
      * @param null|string $passPhrase
+     * @param bool        $keyPermissionsCheck
      */
-    public function __construct($keyPath, $passPhrase = null)
+    public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck = true)
     {
         if (preg_match(self::RSA_KEY_PATTERN, $keyPath)) {
             $keyPath = $this->saveKeyToFile($keyPath);
@@ -44,19 +45,16 @@ class CryptKey
             throw new \LogicException(sprintf('Key path "%s" does not exist or is not readable', $keyPath));
         }
 
-        // Verify the permissions of the key
-        $keyPathPerms = decoct(fileperms($keyPath) & 0777);
-        if ($keyPathPerms !== '600') {
-            // Attempt to correct the permissions
-            if (chmod($keyPath, 0600) === false) {
+        if ($keyPermissionsCheck === true) {
+            // Verify the permissions of the key
+            $keyPathPerms = decoct(fileperms($keyPath) & 0777);
+            if (in_array($keyPathPerms, ['600', '660'], true) === false) {
                 // @codeCoverageIgnoreStart
-                throw new \LogicException(
-                    sprintf(
-                        'Key file "%s" permissions are not correct, should be 600 instead of %s, unable to automatically resolve the issue',
-                        $keyPath,
-                        $keyPathPerms
-                    )
-                );
+                trigger_error(sprintf(
+                    'Key file "%s" permissions are not correct, should be 600 or 660 instead of %s',
+                    $keyPath,
+                    $keyPathPerms
+                ), E_USER_NOTICE);
                 // @codeCoverageIgnoreEnd
             }
         }