Consider removing JCryptCipherSimple #8327

Closed
paragonie-scott opened this Issue Nov 8, 2015 · 3 comments

Projects

None yet

4 participants

@paragonie-scott
Contributor

https://github.com/joomla/joomla-cms/blob/ec8a72f4cd0519786b9001dd3dd593131e7d32d2/libraries/joomla/crypt/cipher/simple.php#L61-L100

XORing the plaintext with str_repeat($secretkey) is worse than encrypting in ECB mode.

There is no salvaging this "encryption" code. rm it, it's not secure.

@Bakual
Contributor
Bakual commented Nov 8, 2015

JCryptCipherSimple is already deprecated and will be removed with 4.0.
Due to B/C it is still shiped but it's recommended to use one of the more secure alternatives.

@mbabker mbabker added a commit to mbabker/joomla-cms that referenced this issue Nov 9, 2015
@mbabker mbabker Use random_bytes() backfill in JCrypt::genRandomBytes (Fix #8327) 253ab35
@paragonie-scott
Contributor

That's good, but I would seriously consider throwing an E_NOTICE or E_WARNING whenever it's used as of 3.5.0.

@wilsonge
Member

We aren't going to place potentially publicly visible notices on people's sites. The deprecation is the best we can do until Joomla 4 (potentially we can shove something in the log files but the reality is that very very few people ever check that file). There are no active use cases of this class in core. So I think we're pretty much doing the best we can at this stage. Our Joomla 4 deprecations branch already has this class (and all use cases removed as well https://github.com/joomla-projects/joomla-pythagoras/tree/feature/deprecations)

@wilsonge wilsonge closed this Nov 11, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment