Project

General

Profile

Actions

Bug #29220

closed

createEncryptionKey always returns key with 96 characters

Added by Adrian Rochau about 13 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Backend API
Target version:
-
Start date:
2011-08-24
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
no-brainer
Is Regression:
Sprint Focus:

Description

In file introductionpackage-4.5.4\typo3\sysext\install\mod\class.tx_install.php in function createEncryptionKey a parameter $keyLength can be set but is ignored in the end.

Since bin2hex returns two characters for each byte the following version should be sufficient.

Instead of:

public function createEncryptionKey($keyLength = 96) {
    $bytes = t3lib_div::generateRandomBytes($keyLength);
    return substr(bin2hex($bytes), -96);
}

Use:

public function createEncryptionKey($keyLength = 96) {
    $bytes = t3lib_div::generateRandomBytes(ceil($keyLength/2));
    return substr(bin2hex($bytes), $keyLength);
}

Actions #1

Updated by Ingmar Schlecht about 13 years ago

  • Assignee set to Helmut Hummel

@Helmut, could you check it and dispatch the bug to someone in the security team please? Thx in advance!

Actions #2

Updated by Steffen Gebert about 13 years ago

I wouldn't treat this as security issue. It's a normal bug.

Actions #3

Updated by Steffen Gebert about 13 years ago

  • Status changed from New to Accepted

Confirmed by Unit Test in #29368

I'm not yet working on a solution (so if sb. else wants to pick this, feel free!). Adrian, could you push a patch to Gerrit? See http://wiki.typo3.org/Git

Actions #4

Updated by Steffen Gebert about 13 years ago

  • Parent task set to #29368
Actions #5

Updated by Helmut Hummel about 13 years ago

Just use t3lib_div::getRandomHexString() which does exactly that. And there is a code duplication since this method is also used in tx_install_ajax

I would just remove these two methods and replace them with t3lib_div::getRandomHexString(96)

Btw. the method is never called with a different value, so this is indeed a regular cleanup and not security related.

Actions #6

Updated by Mr. Jenkins almost 13 years ago

  • Status changed from Accepted to Under Review

Patch set 1 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

Actions #7

Updated by Mr. Jenkins almost 13 years ago

Patch set 2 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

Actions #8

Updated by Mr. Jenkins almost 13 years ago

Patch set 3 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

Actions #9

Updated by Mr. Jenkins almost 13 years ago

Patch set 4 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989

Actions #10

Updated by Steffen Gebert over 12 years ago

  • Parent task deleted (#29368)
Actions #11

Updated by Gerrit Code Review over 12 years ago

Patch set 5 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6989

Actions #12

Updated by Gerrit Code Review almost 12 years ago

Patch set 6 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6989

Actions #13

Updated by Gerrit Code Review over 11 years ago

Patch set 1 for branch TYPO3_6-1 has been pushed to the review server.
It is available at https://review.typo3.org/21749

Actions #14

Updated by Gerrit Code Review over 11 years ago

Patch set 1 for branch TYPO3_6-0 has been pushed to the review server.
It is available at https://review.typo3.org/21750

Actions #15

Updated by Mario Rimann over 11 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #16

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF