Comments (7)
maybe encrypt the passwords with md5 or sha with the combination of a salt?
from bicbucstriim.
Yes, SHA encryption or else is certainly possible. But with the current use case that seemed to be overkill. There are no users to protect from evil administrators. I guessed. if somebody has access to your sqlite db then they are already on the NAS and don't need passwords to access the books.
from bicbucstriim.
But what if the admin password is used for other things as well?
A regular user might be allowed to access the books, but not to change or modify things.
The system runs a external website aswell.
Van: Rainer Volz [mailto:[email protected]]
Verzonden: zondag 26 mei 2013 15:05
Aan: rvolz/BicBucStriim
CC: isr001
Onderwerp: Re: [BicBucStriim] /data/data.db file contains plain passwords - how to secure this more (#53)
Yes, SHA encryption or else is certainly possible. But with the current use case that seemed to be overkill. There are no users to protect from evil administrators. I guessed. if somebody has access to your sqlite db then they are already on the NAS and don't need passwords to access the books.
—
Reply to this email directly or view it on GitHub #53 (comment) . https://github.com/notifications/beacon/OCaJNf792qn9ZNLrI2TT7BaS21nS-hDY7mi_edh_HeT6J6grkZfVIcOUAu5J-nAv.gif
from bicbucstriim.
I Think maybe for someone who is using it on a server that's online and can be viewed by anyone.
Just enter after the address data/data.db and they can read the file. If the password is protected, then they can't access the admin module and also not know the password for protecting the books.
from bicbucstriim.
you can do both: encrypted password and make sure that data.db can only be accessed by the program and not by someone else (maybe this can be done in htaccess file)
from bicbucstriim.
Yes, this is already in V1.1: @janeczku added db protection a few weeks ago to .htaccess.
<FilesMatch data.db>
Order allow,deny
Deny from all
</FilesMatch>
So it shouldn't be possible to download the data.db. At least it isn't possible on my system. As long as nobody else has access to the filesystem your passwords are safe.
Anyway, v1.2 will change to a login-based system, and if that's important fo you, I'll add the possibility to encrypt passwords.
from bicbucstriim.
@rvolz. Sorry, I overlooked.
For me it's also not important. I use it on my NAS but this can't be accessed from outside.
I see some people on the internet are using an old version and you can just read the data.db file...
Maybe we have to look for in inline update that check if you have the latest version of BicBucStriim because it get more secure.
from bicbucstriim.
Related Issues (20)
- Login page "Error Loading Page'😢 HOT 6
- DSM 7 and bicbumstrimm HOT 6
- disabled readfile() causing cover image display problems
- books containing .rtf file not listed HOT 8
- 500 error Nginx from Pi4 to Synology with DSM7 HOT 2
- [INFO] New DSM7 Package with new/custom Icon HOT 3
- Missing space character in the index_last30.html
- "Invalid file format" when attempting to install HOT 2
- #366 and #369 still present in debug (Function get_magic_quotes_gpc() is deprecated when logging in) HOT 1
- Entering wrong password does not inform user
- Stats and slices other than Books don't consider filtering HOT 2
- List of books in series cut off at book no. 30 HOT 2
- Errors using PHP 8.1 HOT 2
- Send to kindle should stop using .mobi HOT 1
- Add guidance surrounding update metadata option to install steps
- Spk package on SynoCommunity is defective
- Login on qnap not longer possible HOT 6
- An update to Synology DSM 7.2 reports an Error 502 HOT 2
- index.php not loading (blank screen) no error messages HOT 8
- Notice: End of life for PHP version HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bicbucstriim.