diff --git a/framework/Core/lib/Horde/Core/Factory/Secret/Cbc.php b/framework/Core/lib/Horde/Core/Factory/Secret/Cbc.php
new file mode 100644
index 00000000000..ef3046e679b
--- /dev/null
+++ b/framework/Core/lib/Horde/Core/Factory/Secret/Cbc.php
@@ -0,0 +1,22 @@
+ $conf['cookie']['domain'],
+ 'cookie_path' => $conf['cookie']['path'],
+ 'cookie_ssl' => $conf['use_ssl'] == 1,
+ 'iv' => $conf['secret_key'],
+ 'session_name' => $conf['session']['name']
+ ));
+ }
+}
diff --git a/framework/Core/lib/Horde/Core/Secret/Cbc.php b/framework/Core/lib/Horde/Core/Secret/Cbc.php
new file mode 100644
index 00000000000..b97035d3371
--- /dev/null
+++ b/framework/Core/lib/Horde/Core/Secret/Cbc.php
@@ -0,0 +1,54 @@
+
+ * @category Horde
+ * @copyright 2015 Horde LLC
+ * @license http://www.horde.org/licenses/lgpl21 LGPL
+ * @package Core
+ * @since 2.20.0
+ */
+class Horde_Core_Secret_Cbc extends Horde_Core_Secret
+{
+ /**
+ */
+ protected function _getCipherOb($key)
+ {
+ global $conf;
+
+ if (!isset($this->_cipherCache[self::HORDE_KEYNAME])) {
+ /* Use more secure CBC mode (rather than ECB). */
+ $this->_cipherCache[self::HORDE_KEYNAME] = new Horde_Crypt_Blowfish(
+ substr($key, 0, 56),
+ array(
+ 'cipher' => 'cbc',
+ 'iv' => $this->_params['iv']
+ )
+ );
+ }
+
+ return $this->_cipherCache[self::HORDE_KEYNAME];
+ }
+
+}
diff --git a/framework/Core/lib/Horde/Registry.php b/framework/Core/lib/Horde/Registry.php
index 43daddca18b..c3183c35c95 100644
--- a/framework/Core/lib/Horde/Registry.php
+++ b/framework/Core/lib/Horde/Registry.php
@@ -432,6 +432,7 @@ public function __construct($session_flags = 0, array $args = array())
'Horde_Routes_Mapper' => 'Horde_Core_Factory_Mapper',
'Horde_Routes_Matcher' => 'Horde_Core_Factory_Matcher',
'Horde_Secret' => 'Horde_Core_Factory_Secret',
+ 'Horde_Secret_Cbc' => 'Horde_Core_Factory_Secret_Cbc',
'Horde_Service_Facebook' => 'Horde_Core_Factory_Facebook',
'Horde_Service_Twitter' => 'Horde_Core_Factory_Twitter',
'Horde_Service_UrlShortener' => 'Horde_Core_Factory_UrlShortener',
diff --git a/framework/Core/lib/Horde/Session.php b/framework/Core/lib/Horde/Session.php
index 08dd23816f7..4a881b46550 100644
--- a/framework/Core/lib/Horde/Session.php
+++ b/framework/Core/lib/Horde/Session.php
@@ -277,7 +277,7 @@ public function clean()
$this->_data = array();
$this->_start();
- $GLOBALS['injector']->getInstance('Horde_Secret')->setKey();
+ $GLOBALS['injector']->getInstance('Horde_Secret_Cbc')->setKey();
$this->_cleansession = true;
@@ -303,7 +303,7 @@ public function destroy()
session_destroy();
}
$this->_cleansession = true;
- $GLOBALS['injector']->getInstance('Horde_Secret')->clearKey();
+ $GLOBALS['injector']->getInstance('Horde_Secret_Cbc')->clearKey();
}
/**
@@ -355,7 +355,7 @@ public function get($app, $name, $mask = 0)
}
if (isset($this->_data[self::ENCRYPTED][$app][$name])) {
- $secret = $injector->getInstance('Horde_Secret');
+ $secret = $injector->getInstance('Horde_Secret_Cbc');
$value = strval($secret->read($secret->getKey(), $value));
}
@@ -427,7 +427,7 @@ public function set($app, $name, $value, $mask = 0)
$value = $injector->getInstance('Horde_Pack')->pack($value, $opts);
if ($mask & self::ENCRYPT) {
- $secret = $injector->getInstance('Horde_Secret');
+ $secret = $injector->getInstance('Horde_Secret_Cbc');
$value = $secret->write($secret->getKey(), $value);
$this->_data[self::ENCRYPTED][$app][$name] = true;
}
diff --git a/framework/Core/package.xml b/framework/Core/package.xml
index 7d951be2cba..a61415b4a52 100644
--- a/framework/Core/package.xml
+++ b/framework/Core/package.xml
@@ -28,10 +28,10 @@
mrubinsk@horde.org
yes
- 2015-03-04
+ 2015-03-06
- 2.19.3
- 2.19.0
+ 2.20.0
+ 2.20.0
stable
@@ -39,7 +39,7 @@
LGPL-2.1
-*
+* [mms] Fix regression in removing CBC cipher mode when encrypting data within a session (Bug #13869).
@@ -407,6 +407,9 @@
+
+
+
@@ -572,6 +575,9 @@
+
+
+
@@ -1880,6 +1886,7 @@
+
@@ -1918,6 +1925,7 @@
+
@@ -3854,15 +3862,15 @@
- 2.19.3
- 2.19.0
+ 2.20.0
+ 2.20.0
stable
stable
- 2015-03-04
+ 2015-03-06
LGPL-2.1
-*
+* [mms] Fix regression in removing CBC cipher mode when encrypting data within a session (Bug #13869).