Skip to content
Permalink
Browse files

Kill Security::cipher()

It was never a good idea, and is very likely to be extremely insecure.
Using proper algorithms is a better plan.
  • Loading branch information...
markstory committed Jul 30, 2013
1 parent e07938e commit 696af52a90b5cde26c8bb8c0891c23a7f4ac73fc
Showing with 4 additions and 71 deletions.
  1. +0 −43 lib/Cake/Test/TestCase/Utility/SecurityTest.php
  2. +4 −28 lib/Cake/Utility/Security.php
@@ -198,49 +198,6 @@ public function testHashBlowfish() {
Security::setHash($_hashType);
}
/**
* testCipher method
*
* @return void
*/
public function testCipher() {
$length = 10;
$txt = '';
for ($i = 0; $i < $length; $i++) {
$txt .= mt_rand(0, 255);
}
$key = 'my_key';
$result = Security::cipher($txt, $key);
$this->assertEquals($txt, Security::cipher($result, $key));
$txt = '';
$key = 'my_key';
$result = Security::cipher($txt, $key);
$this->assertEquals($txt, Security::cipher($result, $key));
$txt = 123456;
$key = 'my_key';
$result = Security::cipher($txt, $key);
$this->assertEquals($txt, Security::cipher($result, $key));
$txt = '123456';
$key = 'my_key';
$result = Security::cipher($txt, $key);
$this->assertEquals($txt, Security::cipher($result, $key));
}
/**
* testCipherEmptyKey method
*
* @expectedException PHPUnit_Framework_Error
* @return void
*/
public function testCipherEmptyKey() {
$txt = 'some_text';
$key = '';
Security::cipher($txt, $key);
}
/**
* testRijndael method
*
@@ -20,6 +20,7 @@
namespace Cake\Utility;
use Cake\Core\Configure;
use Cake\Error;
/**
* Security Library contains utility methods related to security
@@ -169,39 +170,14 @@ public static function setCost($cost) {
}
/**
* Runs $text through a XOR cipher.
*
* *Note* This is not a cryptographically strong method and should not be used
* for sensitive data. Additionally this method does *not* work in environments
* where suhosin is enabled.
*
* Instead you should use Security::rijndael() when you need strong
* encryption.
*
* Deprecated method. Does nothing.
* @param string $text Encrypted string to decrypt, normal string to encrypt
* @param string $key Key to use
* @return string Encrypted/Decrypted string
* @throws Cake\Error\Exception
* @deprecated This method will be removed in 3.x
*/
public static function cipher($text, $key) {
if (empty($key)) {
trigger_error(__d('cake_dev', 'You cannot use an empty key for Security::cipher()'), E_USER_WARNING);
return '';
}
srand(Configure::read('Security.cipherSeed'));
$out = '';
$keyLength = strlen($key);
for ($i = 0, $textLength = strlen($text); $i < $textLength; $i++) {
$j = ord(substr($key, $i % $keyLength, 1));
while ($j--) {
rand(0, 255);
}
$mask = rand(0, 255);
$out .= chr(ord(substr($text, $i, 1)) ^ $mask);
}
srand();
return $out;
throw new Error\Exception(__d('cake_dev', 'Security::cipher() has been removed. Use Security::rijndael() to encrypt data'));
}
/**

0 comments on commit 696af52

Please sign in to comment.
You can’t perform that action at this time.