Consider removing JCryptCipherSimple #8327

paragonie-scott opened this Issue Nov 8, 2015 · 3 comments


None yet

4 participants


XORing the plaintext with str_repeat($secretkey) is worse than encrypting in ECB mode.

There is no salvaging this "encryption" code. rm it, it's not secure.

Bakual commented Nov 8, 2015

JCryptCipherSimple is already deprecated and will be removed with 4.0.
Due to B/C it is still shiped but it's recommended to use one of the more secure alternatives.

@mbabker mbabker added a commit to mbabker/joomla-cms that referenced this issue Nov 9, 2015
@mbabker mbabker Use random_bytes() backfill in JCrypt::genRandomBytes (Fix #8327) 253ab35

That's good, but I would seriously consider throwing an E_NOTICE or E_WARNING whenever it's used as of 3.5.0.


We aren't going to place potentially publicly visible notices on people's sites. The deprecation is the best we can do until Joomla 4 (potentially we can shove something in the log files but the reality is that very very few people ever check that file). There are no active use cases of this class in core. So I think we're pretty much doing the best we can at this stage. Our Joomla 4 deprecations branch already has this class (and all use cases removed as well

@wilsonge wilsonge closed this Nov 11, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment