php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #80843 Remove examples from comments as they are invariably insecure
Submitted: 2021-03-07 11:38 UTC Modified: -
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: maarten dot bodewes at gmail dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 8.0.3 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
34 - 8 = ?
Subscribe to this entry?

 
 [2021-03-07 11:38 UTC] maarten dot bodewes at gmail dot com
Description:
------------
---
From manual page: https://php.net/function.openssl-encrypt
---

Remove examples from the comments sections of the OpenSSL libraries as they are invariably insecure.

Here the most upvoted example for some reason uses SHA3 for HMAC, which is unnecessarily strong and very slow compared to e.g. SHA-256. Much worse is that the IV is not included in the HMAC calculation, which means an attacker can change each of the initial 16 bytes at will. The problem is that I can leave a comment, but it will take years before it gets noticed.

Please remove all those examples from security functions because COPY/PASTE security doesn't exist. At least not from unknown sources that for some reason get upvoted and can never be retracted. Comments should only be applicable to the function itself.

Please write the sample code yourself and have it reviewed by a security professional because the authors of the OpenSSL library clearly are not very capable either; if you confuse passwords and keys then you've got some things to learn yet.

I'm Maarten Bodewes. I've corrected (terrible) examples of mcrypt_encrypt before and indicated that mcrypt was insecure and unmaintained. I'm #1 user for the cryptography tags at StackOverflow and mod at the cryptography site of StackExchange.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-12-30 05:50 UTC] amin dot jab242 at gmail dot com
Thanks (https://www.dinarrecaps.org/)github.com
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 13:01:29 2024 UTC