php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #80843 Remove examples from comments as they are invariably insecure
Submitted: 2021-03-07 11:38 UTC Modified: -
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: maarten dot bodewes at gmail dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 8.0.3 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: maarten dot bodewes at gmail dot com
New email:
PHP Version: OS:

 

 [2021-03-07 11:38 UTC] maarten dot bodewes at gmail dot com
Description:
------------
---
From manual page: https://php.net/function.openssl-encrypt
---

Remove examples from the comments sections of the OpenSSL libraries as they are invariably insecure.

Here the most upvoted example for some reason uses SHA3 for HMAC, which is unnecessarily strong and very slow compared to e.g. SHA-256. Much worse is that the IV is not included in the HMAC calculation, which means an attacker can change each of the initial 16 bytes at will. The problem is that I can leave a comment, but it will take years before it gets noticed.

Please remove all those examples from security functions because COPY/PASTE security doesn't exist. At least not from unknown sources that for some reason get upvoted and can never be retracted. Comments should only be applicable to the function itself.

Please write the sample code yourself and have it reviewed by a security professional because the authors of the OpenSSL library clearly are not very capable either; if you confuse passwords and keys then you've got some things to learn yet.

I'm Maarten Bodewes. I've corrected (terrible) examples of mcrypt_encrypt before and indicated that mcrypt was insecure and unmaintained. I'm #1 user for the cryptography tags at StackOverflow and mod at the cryptography site of StackExchange.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-12-30 05:50 UTC] amin dot jab242 at gmail dot com
Thanks (https://www.dinarrecaps.org/)github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 01:01:28 2024 UTC