Bug #29220

createEncryptionKey always returns key with 96 characters

Added by Adrian Rochau almost 8 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Backend API
Target version:
-
Start date:
2011-08-24
Due date:
% Done:

100%

TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
no-brainer
Is Regression:
Sprint Focus:

Description

In file introductionpackage-4.5.4\typo3\sysext\install\mod\class.tx_install.php in function createEncryptionKey a parameter $keyLength can be set but is ignored in the end.

Since bin2hex returns two characters for each byte the following version should be sufficient.

Instead of:

public function createEncryptionKey($keyLength = 96) {
    $bytes = t3lib_div::generateRandomBytes($keyLength);
    return substr(bin2hex($bytes), -96);
}

Use:

public function createEncryptionKey($keyLength = 96) {
    $bytes = t3lib_div::generateRandomBytes(ceil($keyLength/2));
    return substr(bin2hex($bytes), $keyLength);
}

Associated revisions

Revision 274a2018 (diff)
Added by Mario Rimann almost 6 years ago

[TASK] createEncryptionKey always returns key with 96 characters

Update the createEncryptionKey method to use the same underlying
call as its copy in the eID script.

Change-Id: I666a3620080fd0f5281e899250f5c710e2550173
Resolves: #29220
Releases: 6.0, 6.1
Reviewed-on: https://review.typo3.org/21749
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

Revision a626339b (diff)
Added by Mario Rimann almost 6 years ago

[TASK] createEncryptionKey always returns key with 96 characters

Update the createEncryptionKey method to use the same underlying
call as its copy in the eID script.

Change-Id: I666a3620080fd0f5281e899250f5c710e2550173
Resolves: #29220
Releases: 6.0, 6.1
Reviewed-on: https://review.typo3.org/21750
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe

History

#1 Updated by Ingmar Schlecht over 7 years ago

  • Assignee set to Helmut Hummel

@Helmut, could you check it and dispatch the bug to someone in the security team please? Thx in advance!

#2 Updated by Steffen Gebert over 7 years ago

I wouldn't treat this as security issue. It's a normal bug.

#3 Updated by Steffen Gebert over 7 years ago

  • Status changed from New to Accepted

Confirmed by Unit Test in #29368

I'm not yet working on a solution (so if sb. else wants to pick this, feel free!). Adrian, could you push a patch to Gerrit? See http://wiki.typo3.org/Git

#4 Updated by Steffen Gebert over 7 years ago

  • Parent task set to #29368

#5 Updated by Helmut Hummel over 7 years ago

Just use t3lib_div::getRandomHexString() which does exactly that. And there is a code duplication since this method is also used in tx_install_ajax

I would just remove these two methods and replace them with t3lib_div::getRandomHexString(96)

Btw. the method is never called with a different value, so this is indeed a regular cleanup and not security related.

#6 Updated by Mr. Jenkins over 7 years ago

  • Status changed from Accepted to Under Review

Patch set 1 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

#7 Updated by Mr. Jenkins over 7 years ago

Patch set 2 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

#8 Updated by Mr. Jenkins over 7 years ago

Patch set 3 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

#9 Updated by Mr. Jenkins over 7 years ago

Patch set 4 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

#10 Updated by Steffen Gebert over 7 years ago

  • Parent task deleted (#29368)

#11 Updated by Gerrit Code Review almost 7 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6989

#12 Updated by Gerrit Code Review over 6 years ago

Patch set 6 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6989

#13 Updated by Gerrit Code Review almost 6 years ago

Patch set 1 for branch TYPO3_6-1 has been pushed to the review server.
It is available at https://review.typo3.org/21749

#14 Updated by Gerrit Code Review almost 6 years ago

Patch set 1 for branch TYPO3_6-0 has been pushed to the review server.
It is available at https://review.typo3.org/21750

#15 Updated by Mario Rimann almost 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#16 Updated by Benni Mack 8 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF