6.0.0-git
2018-12-15

[#14026] Use of raw_data in Horde_Crypt_Blowfish_Openssl
Summary Use of raw_data in Horde_Crypt_Blowfish_Openssl
Queue Horde Framework Packages
Type Bug
State Assigned
Priority 1. Low
Owners Horde Developers (at)
Requester almarin (at) um (dot) es
Created 2015-06-24 (1270 days ago)
Due
Updated 2016-03-08 (1012 days ago)
Assigned 2016-03-08 (1012 days ago)
Resolved
Milestone
Patch No

History
2016-03-08 10:54:15 Jan Schneider Assigned to Horde DevelopersHorde Developers
State ⇒ Assigned
 
2016-01-25 17:30:50 Jan Schneider Comment #3 Reply to this comment
Ping?
2015-09-17 18:43:50 Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
Can be replaced with $raw_data = false to force the use of base64 
format? Of course in both encrypt/decrypt operations
No, because the API of Horde_Crypt_Blowfish defines the input and 
output to be binary and portable.

We can probably change the logic in Horde_Session#get() to first check 
if the data is encrypted, and only check for the NOT_SERIALIZED flag 
if it is not. Do you by chance have some example data that produces 
leading NULs during encryption, so we can create a unit test?
2015-06-24 12:58:27 almarin (at) um (dot) es Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Summary ⇒ Use of raw_data in Horde_Crypt_Blowfish_Openssl
Queue ⇒ Horde Framework Packages
Milestone ⇒
Patch ⇒ No
Reply to this comment
Horde_Crypt_Blowfish_Openssl uses $raw_data = true in encrypt/decrypt 
operations, so the result can be any binary string, even a string 
starting with \0 at the beginning.

That causes issues like in Horde_Session, where values starting with 
\0  are considered  NOT_SERIALIZED and are returned unencrypted
(https://github.com/horde/horde/blob/master/framework/Core/lib/Horde/Session.php#L355)

Can be replaced with $raw_data = false to force the use of base64 
format? Of course in both encrypt/decrypt operations



Saved Queries