[#14026] Use of raw_data in Horde_Crypt_Blowfish_Openssl
Summary Use of raw_data in Horde_Crypt_Blowfish_Openssl
Queue Horde Framework Packages
Type Bug
State Assigned
Priority 1. Low
Owners Horde Developers
Requester almarin@um.es
Created 2015-06-24 (1483 days ago)
Due
Updated 2016-03-08 (1225 days ago)
Assigned 2016-03-08 (1225 days ago)
Resolved
Milestone
Patch No

Comments
almarin@um.es 2015-06-24 12:58:27
Horde_Crypt_Blowfish_Openssl uses $raw_data = true in encrypt/decrypt 
operations, so the result can be any binary string, even a string 
starting with \0 at the beginning.

That causes issues like in Horde_Session, where values starting with 
\0  are considered  NOT_SERIALIZED and are returned unencrypted
(https://github.com/horde/horde/blob/master/framework/Core/lib/Horde/Session.php#L355)

Can be replaced with $raw_data = false to force the use of base64 
format? Of course in both encrypt/decrypt operations




Jan Schneider <jan@horde.org> 2015-09-17 18:43:50
> Can be replaced with $raw_data = false to force the use of base64 
> format? Of course in both encrypt/decrypt operations

No, because the API of Horde_Crypt_Blowfish defines the input and 
output to be binary and portable.

We can probably change the logic in Horde_Session#get() to first check 
if the data is encrypted, and only check for the NOT_SERIALIZED flag 
if it is not. Do you by chance have some example data that produces 
leading NULs during encryption, so we can create a unit test?

Jan Schneider <jan@horde.org> 2016-01-25 17:30:50
Ping?