-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two Vulnerabilities in One Line #5
Comments
Is there any interest in fixing this? |
My PHP background is weak, and I haven't heard from @curtisdf in a while. I've asked a colleague of mine with much more PHP experience to take a look. I'd also be happy to look at a pull request. Thanks for the issue. |
Hi @rnapier. Sorry for being AWOL. I wasn't receiving any emails about RNCryptor so it was out of sight out of mind. I have migrated the project to use hash_equals() along with the polyfill library. I also took the opportunity to fix up our TravisCI configs. Since PHP 5.4 is at EOL, I have moved the minimum supported PHP version to 5.5. I also added support for testing in PHP7. We are now at version 3.1.0. Thanks @paragonie-scott for the feedback. |
This line of code has two cryptographic vulnerabilities.
I'd suggest replacing it with
hash_equals()
.A MIT licensed polyfill for
hash_equals()
already exists.The text was updated successfully, but these errors were encountered: