Tickets :: [#14026] Use of raw_data in Horde_Crypt_Blowfish_Openssl

6.0.0-git

2020-07-10

Summary	Use of raw_data in Horde_Crypt_Blowfish_Openssl
Queue	Horde Framework Packages
Type	Bug
State	Assigned
Priority	1. Low
Owners	Horde Developers (at)
Requester	almarin (at) um (dot) es
Created	2015-06-24 (1843 days ago)
Due
Updated	2016-03-08 (1585 days ago)
Assigned	2016-03-08 (1585 days ago)
Resolved
Milestone
Patch	No

2016-03-08 10:54:15	Jan Schneider	Assigned to Horde Developers State ⇒ Assigned

2016-01-25 17:30:50	Jan Schneider	Comment #3	Reply to this comment
Ping?

2015-09-17 18:43:50	Jan Schneider	Comment #2 State ⇒ Feedback	Reply to this comment
Can be replaced with $raw_data = false to force the use of base64 format? Of course in both encrypt/decrypt operations No, because the API of Horde_Crypt_Blowfish defines the input and output to be binary and portable. We can probably change the logic in Horde_Session#get() to first check if the data is encrypted, and only check for the NOT_SERIALIZED flag if it is not. Do you by chance have some example data that produces leading NULs during encryption, so we can create a unit test?

2015-06-24 12:58:27	almarin (at) um (dot) es	Comment #1 Type ⇒ Bug State ⇒ Unconfirmed Priority ⇒ 1. Low Summary ⇒ Use of raw_data in Horde_Crypt_Blowfish_Openssl Queue ⇒ Horde Framework Packages Milestone ⇒ Patch ⇒ No	Reply to this comment
Horde_Crypt_Blowfish_Openssl uses $raw_data = true in encrypt/decrypt operations, so the result can be any binary string, even a string starting with \0 at the beginning. That causes issues like in Horde_Session, where values starting with \0 are considered NOT_SERIALIZED and are returned unencrypted (https://github.com/horde/horde/blob/master/framework/Core/lib/Horde/Session.php#L355) Can be replaced with $raw_data = false to force the use of base64 format? Of course in both encrypt/decrypt operations