Bug #29220

createEncryptionKey always returns key with 96 characters

Added by Adrian Rochau almost 10 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Backend API
Target version:
-
Start date:
2011-08-24
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
no-brainer
Is Regression:
Sprint Focus:

Description

In file introductionpackage-4.5.4\typo3\sysext\install\mod\class.tx_install.php in function createEncryptionKey a parameter $keyLength can be set but is ignored in the end.

Since bin2hex returns two characters for each byte the following version should be sufficient.

Instead of:

public function createEncryptionKey($keyLength = 96) {
    $bytes = t3lib_div::generateRandomBytes($keyLength);
    return substr(bin2hex($bytes), -96);
}

Use:

public function createEncryptionKey($keyLength = 96) {
    $bytes = t3lib_div::generateRandomBytes(ceil($keyLength/2));
    return substr(bin2hex($bytes), $keyLength);
}

#1

Updated by Ingmar Schlecht almost 10 years ago

  • Assignee set to Helmut Hummel

@Helmut, could you check it and dispatch the bug to someone in the security team please? Thx in advance!

#2

Updated by Steffen Gebert almost 10 years ago

I wouldn't treat this as security issue. It's a normal bug.

#3

Updated by Steffen Gebert almost 10 years ago

  • Status changed from New to Accepted

Confirmed by Unit Test in #29368

I'm not yet working on a solution (so if sb. else wants to pick this, feel free!). Adrian, could you push a patch to Gerrit? See http://wiki.typo3.org/Git

#4

Updated by Steffen Gebert almost 10 years ago

  • Parent task set to #29368
#5

Updated by Helmut Hummel almost 10 years ago

Just use t3lib_div::getRandomHexString() which does exactly that. And there is a code duplication since this method is also used in tx_install_ajax

I would just remove these two methods and replace them with t3lib_div::getRandomHexString(96)

Btw. the method is never called with a different value, so this is indeed a regular cleanup and not security related.

#6

Updated by Mr. Jenkins over 9 years ago

  • Status changed from Accepted to Under Review

Patch set 1 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

#7

Updated by Mr. Jenkins over 9 years ago

Patch set 2 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

#8

Updated by Mr. Jenkins over 9 years ago

Patch set 3 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

#9

Updated by Mr. Jenkins over 9 years ago

Patch set 4 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

#10

Updated by Steffen Gebert over 9 years ago

  • Parent task deleted (#29368)
#11

Updated by Gerrit Code Review almost 9 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6989

#12

Updated by Gerrit Code Review over 8 years ago

Patch set 6 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6989

#13

Updated by Gerrit Code Review almost 8 years ago

Patch set 1 for branch TYPO3_6-1 has been pushed to the review server.
It is available at https://review.typo3.org/21749

#14

Updated by Gerrit Code Review almost 8 years ago

Patch set 1 for branch TYPO3_6-0 has been pushed to the review server.
It is available at https://review.typo3.org/21750

#15

Updated by Mario Rimann almost 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#16

Updated by Benni Mack over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF