Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two Vulnerabilities in One Line #5

Closed
paragonie-scott opened this issue Jun 9, 2015 · 3 comments
Closed

Two Vulnerabilities in One Line #5

paragonie-scott opened this issue Jun 9, 2015 · 3 comments

Comments

@paragonie-scott
Copy link

This line of code has two cryptographic vulnerabilities.

  1. The PHP "magic hash" evaluation flaw
  2. String comparison is vulnerable to timing attacks

I'd suggest replacing it with hash_equals().

A MIT licensed polyfill for hash_equals() already exists.

@paragonie-scott
Copy link
Author

Is there any interest in fixing this?

@rnapier
Copy link
Member

rnapier commented Dec 6, 2015

My PHP background is weak, and I haven't heard from @curtisdf in a while. I've asked a colleague of mine with much more PHP experience to take a look. I'd also be happy to look at a pull request.

Thanks for the issue.

@curtisdf
Copy link
Contributor

curtisdf commented Dec 6, 2015

Hi @rnapier. Sorry for being AWOL. I wasn't receiving any emails about RNCryptor so it was out of sight out of mind.

I have migrated the project to use hash_equals() along with the polyfill library. I also took the opportunity to fix up our TravisCI configs. Since PHP 5.4 is at EOL, I have moved the minimum supported PHP version to 5.5. I also added support for testing in PHP7.

We are now at version 3.1.0. Thanks @paragonie-scott for the feedback.

@curtisdf curtisdf closed this as completed Dec 6, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants