Kill Security::cipher()

It was never a good idea, and is very likely to be extremely insecure. Using proper algorithms is a better plan.
cakephp · Jul 30, 2013 · 696af52 · 696af52
1 parent e07938e
commit 696af52
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 71 deletions.
diff --git a/lib/Cake/Test/TestCase/Utility/SecurityTest.php b/lib/Cake/Test/TestCase/Utility/SecurityTest.php
@@ -198,49 +198,6 @@ public function testHashBlowfish() {
 		Security::setHash($_hashType);
 	}
 
-/**
- * testCipher method
- *
- * @return void
- */
-	public function testCipher() {
-		$length = 10;
-		$txt = '';
-		for ($i = 0; $i < $length; $i++) {
-			$txt .= mt_rand(0, 255);
-		}
-		$key = 'my_key';
-		$result = Security::cipher($txt, $key);
-		$this->assertEquals($txt, Security::cipher($result, $key));
-
-		$txt = '';
-		$key = 'my_key';
-		$result = Security::cipher($txt, $key);
-		$this->assertEquals($txt, Security::cipher($result, $key));
-
-		$txt = 123456;
-		$key = 'my_key';
-		$result = Security::cipher($txt, $key);
-		$this->assertEquals($txt, Security::cipher($result, $key));
-
-		$txt = '123456';
-		$key = 'my_key';
-		$result = Security::cipher($txt, $key);
-		$this->assertEquals($txt, Security::cipher($result, $key));
-	}
-
-/**
- * testCipherEmptyKey method
- *
- * @expectedException PHPUnit_Framework_Error
- * @return void
- */
-	public function testCipherEmptyKey() {
-		$txt = 'some_text';
-		$key = '';
-		Security::cipher($txt, $key);
-	}
-
 /**
  * testRijndael method
  *

diff --git a/lib/Cake/Utility/Security.php b/lib/Cake/Utility/Security.php
@@ -20,6 +20,7 @@
 namespace Cake\Utility;
 
 use Cake\Core\Configure;
+use Cake\Error;
 
 /**
  * Security Library contains utility methods related to security
@@ -169,39 +170,14 @@ public static function setCost($cost) {
 	}
 
 /**
- * Runs $text through a XOR cipher.
- *
- * *Note* This is not a cryptographically strong method and should not be used
- * for sensitive data. Additionally this method does *not* work in environments
- * where suhosin is enabled.
- *
- * Instead you should use Security::rijndael() when you need strong
- * encryption.
- *
+ * Deprecated method. Does nothing.
  * @param string $text Encrypted string to decrypt, normal string to encrypt
  * @param string $key Key to use
- * @return string Encrypted/Decrypted string
+ * @throws Cake\Error\Exception
  * @deprecated This method will be removed in 3.x
  */
 	public static function cipher($text, $key) {
-		if (empty($key)) {
-			trigger_error(__d('cake_dev', 'You cannot use an empty key for Security::cipher()'), E_USER_WARNING);
-			return '';
-		}
-
-		srand(Configure::read('Security.cipherSeed'));
-		$out = '';
-		$keyLength = strlen($key);
-		for ($i = 0, $textLength = strlen($text); $i < $textLength; $i++) {
-			$j = ord(substr($key, $i % $keyLength, 1));
-			while ($j--) {
-				rand(0, 255);
-			}
-			$mask = rand(0, 255);
-			$out .= chr(ord(substr($text, $i, 1)) ^ $mask);
-		}
-		srand();
-		return $out;
+		throw new Error\Exception(__d('cake_dev', 'Security::cipher() has been removed. Use Security::rijndael() to encrypt data'));
 	}
 
 /**