Bug #29220
closed
createEncryptionKey always returns key with 96 characters
100%
Description
In file introductionpackage-4.5.4\typo3\sysext\install\mod\class.tx_install.php in function createEncryptionKey a parameter $keyLength can be set but is ignored in the end.
Since bin2hex returns two characters for each byte the following version should be sufficient.
Instead of:
public function createEncryptionKey($keyLength = 96) {
$bytes = t3lib_div::generateRandomBytes($keyLength);
return substr(bin2hex($bytes), -96);
}
Use:
public function createEncryptionKey($keyLength = 96) {
$bytes = t3lib_div::generateRandomBytes(ceil($keyLength/2));
return substr(bin2hex($bytes), $keyLength);
}
Updated by Ingmar Schlecht about 13 years ago
- Assignee set to Helmut Hummel
@Helmut, could you check it and dispatch the bug to someone in the security team please? Thx in advance!
Updated by Steffen Gebert about 13 years ago
I wouldn't treat this as security issue. It's a normal bug.
Updated by Steffen Gebert about 13 years ago
- Status changed from New to Accepted
Confirmed by Unit Test in #29368
I'm not yet working on a solution (so if sb. else wants to pick this, feel free!). Adrian, could you push a patch to Gerrit? See http://wiki.typo3.org/Git
Updated by Helmut Hummel about 13 years ago
Just use t3lib_div::getRandomHexString() which does exactly that. And there is a code duplication since this method is also used in tx_install_ajax
I would just remove these two methods and replace them with t3lib_div::getRandomHexString(96)
Btw. the method is never called with a different value, so this is indeed a regular cleanup and not security related.
Updated by Mr. Jenkins almost 13 years ago
- Status changed from Accepted to Under Review
Patch set 1 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989
Updated by Mr. Jenkins almost 13 years ago
Patch set 2 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989
Updated by Mr. Jenkins almost 13 years ago
Patch set 3 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989
Updated by Mr. Jenkins almost 13 years ago
Patch set 4 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989
Updated by Gerrit Code Review over 12 years ago
Patch set 5 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6989
Updated by Gerrit Code Review almost 12 years ago
Patch set 6 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6989
Updated by Gerrit Code Review over 11 years ago
Patch set 1 for branch TYPO3_6-1 has been pushed to the review server.
It is available at https://review.typo3.org/21749
Updated by Gerrit Code Review over 11 years ago
Patch set 1 for branch TYPO3_6-0 has been pushed to the review server.
It is available at https://review.typo3.org/21750
Updated by Mario Rimann over 11 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset a626339b94368fef6c7fc66d20795a5f054a2b34.
Updated by