Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two Vulnerabilities in One Line #5

paragonie-scott opened this issue Jun 9, 2015 · 3 comments

Two Vulnerabilities in One Line #5

paragonie-scott opened this issue Jun 9, 2015 · 3 comments


Copy link

paragonie-scott commented Jun 9, 2015

This line of code has two cryptographic vulnerabilities.

  1. The PHP "magic hash" evaluation flaw
  2. String comparison is vulnerable to timing attacks

I'd suggest replacing it with hash_equals().

A MIT licensed polyfill for hash_equals() already exists.

Copy link

paragonie-scott commented Dec 6, 2015

Is there any interest in fixing this?

Copy link

rnapier commented Dec 6, 2015

My PHP background is weak, and I haven't heard from @curtisdf in a while. I've asked a colleague of mine with much more PHP experience to take a look. I'd also be happy to look at a pull request.

Thanks for the issue.

Copy link

curtisdf commented Dec 6, 2015

Hi @rnapier. Sorry for being AWOL. I wasn't receiving any emails about RNCryptor so it was out of sight out of mind.

I have migrated the project to use hash_equals() along with the polyfill library. I also took the opportunity to fix up our TravisCI configs. Since PHP 5.4 is at EOL, I have moved the minimum supported PHP version to 5.5. I also added support for testing in PHP7.

We are now at version 3.1.0. Thanks @paragonie-scott for the feedback.

@curtisdf curtisdf closed this as completed Dec 6, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

3 participants