GeekFunkLabs / fluidpatcher

A performance-oriented patch interface for FluidSynth
MIT License
124 stars 15 forks source link

Small security quibble #68

Closed zenfish closed 1 year ago

zenfish commented 1 year ago

In your installer (https://raw.githubusercontent.com/albedozero/fluidpatcher/master/assets/squishbox-install.bash), where you tell people to -

curl -L git.io/squishbox | bash

The script does:

fmgr_hash=`wget -qO - geekfunklabs.com/passhash.php?password=$password`

You really should do this on the raspberry pi itself vs. over the network. An unscrupulous person (if not you, someone could grab the domain or do MitM since you're not using https in the command) could save the password along with the requesting IP and potentially do some harm to someone installing the package (either by directly accessing the pi or by abusing people who use the same password all over the place (... it happens....)

E.g. It'd be easy to do something like (or w/e) -

php -r 'print password_hash('"$password"', PASSWORD_DEFAULT);'

albedozero commented 1 year ago

Excellent idea - added in commit 793616763df098f508dbf62a1442295e66184e22