Bug #29220
closed
createEncryptionKey always returns key with 96 characters
Added by Adrian Rochau about 13 years ago.
Updated about 6 years ago.
Description
In file introductionpackage-4.5.4\typo3\sysext\install\mod\class.tx_install.php in function createEncryptionKey a parameter $keyLength can be set but is ignored in the end.
Since bin2hex returns two characters for each byte the following version should be sufficient.
Instead of:
public function createEncryptionKey($keyLength = 96) {
$bytes = t3lib_div::generateRandomBytes($keyLength);
return substr(bin2hex($bytes), -96);
}
Use:
public function createEncryptionKey($keyLength = 96) {
$bytes = t3lib_div::generateRandomBytes(ceil($keyLength/2));
return substr(bin2hex($bytes), $keyLength);
}
- Assignee set to Helmut Hummel
@Helmut, could you check it and dispatch the bug to someone in the security team please? Thx in advance!
I wouldn't treat this as security issue. It's a normal bug.
- Status changed from New to Accepted
Confirmed by Unit Test in #29368
I'm not yet working on a solution (so if sb. else wants to pick this, feel free!). Adrian, could you push a patch to Gerrit? See http://wiki.typo3.org/Git
- Parent task set to #29368
Just use t3lib_div::getRandomHexString() which does exactly that. And there is a code duplication since this method is also used in tx_install_ajax
I would just remove these two methods and replace them with t3lib_div::getRandomHexString(96)
Btw. the method is never called with a different value, so this is indeed a regular cleanup and not security related.
- Status changed from Accepted to Under Review
Patch set 1 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989
Patch set 2 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989
Patch set 3 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989
Patch set 4 of change I666a3620080fd0f5281e899250f5c710e2550173 has been pushed to the review server.
It is available at http://review.typo3.org/6989
- Parent task deleted (
#29368)
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by