summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorQuinn Chrzan <quinnchrzan@gmail.com>2014-05-30 19:25:12 +0200
committerQuinn Chrzan <quinnchrzan@gmail.com>2014-05-30 19:25:12 +0200
commitc77e1933e64e9e93d6318752deb668d96efeb62f (patch)
treedb3074ea63d6701c88bc5519b6a12d60f49bd439
parent5800de6835bfa943b7ffca94917f3f85696cc35f (diff)
parent9eb99bce5e1a62c5df8758eaf82f6edee61c35b1 (diff)
Merge pull request #3071 from EllisLab/bug/xor_encode
Bug/xor encode
-rw-r--r--system/libraries/Encrypt.php77
-rw-r--r--user_guide/libraries/encryption.html9
-rw-r--r--user_guide/libraries/sessions.html4
3 files changed, 21 insertions, 69 deletions
diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php
index b30a8cf0b..b6758d98f 100644
--- a/system/libraries/Encrypt.php
+++ b/system/libraries/Encrypt.php
@@ -18,7 +18,7 @@
/**
* CodeIgniter Encryption Class
*
- * Provides two-way keyed encoding using XOR Hashing and Mcrypt
+ * Provides two-way keyed encoding using Mcrypt
*
* @package CodeIgniter
* @subpackage Libraries
@@ -45,6 +45,12 @@ class CI_Encrypt {
{
$this->CI =& get_instance();
$this->_mcrypt_exists = ( ! function_exists('mcrypt_encrypt')) ? FALSE : TRUE;
+
+ if ($this->_mcrypt_exists === FALSE)
+ {
+ show_error('The Encrypt library requires the Mcrypt extension.');
+ }
+
log_message('debug', "Encrypt Class Initialized");
}
@@ -103,10 +109,10 @@ class CI_Encrypt {
* Encodes the message string using bitwise XOR encoding.
* The key is combined with a random hash, and then it
* too gets converted using XOR. The whole thing is then run
- * through mcrypt (if supported) using the randomized key.
- * The end result is a double-encrypted message string
- * that is randomized with each call to this function,
- * even if the supplied message and key are the same.
+ * through mcrypt using the randomized key. The end result
+ * is a double-encrypted message string that is randomized
+ * with each call to this function, even if the supplied
+ * message and key are the same.
*
* @access public
* @param string the string to encode
@@ -116,15 +122,7 @@ class CI_Encrypt {
function encode($string, $key = '')
{
$key = $this->get_key($key);
-
- if ($this->_mcrypt_exists === TRUE)
- {
- $enc = $this->mcrypt_encode($string, $key);
- }
- else
- {
- $enc = $this->_xor_encode($string, $key);
- }
+ $enc = $this->mcrypt_encode($string, $key);
return base64_encode($enc);
}
@@ -152,16 +150,9 @@ class CI_Encrypt {
$dec = base64_decode($string);
- if ($this->_mcrypt_exists === TRUE)
- {
- if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
- {
- return FALSE;
- }
- }
- else
+ if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
{
- $dec = $this->_xor_decode($dec, $key);
+ return FALSE;
}
return $dec;
@@ -187,12 +178,6 @@ class CI_Encrypt {
*/
function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '')
{
- if ($this->_mcrypt_exists === FALSE)
- {
- log_message('error', 'Encoding from legacy is available only when Mcrypt is in use.');
- return FALSE;
- }
-
// decode it first
// set mode temporarily to what it was when string was encoded with the legacy
// algorithm - typically MCRYPT_MODE_ECB
@@ -225,38 +210,6 @@ class CI_Encrypt {
// --------------------------------------------------------------------
/**
- * XOR Encode
- *
- * Takes a plain-text string and key as input and generates an
- * encoded bit-string using XOR
- *
- * @access private
- * @param string
- * @param string
- * @return string
- */
- function _xor_encode($string, $key)
- {
- $rand = '';
- while (strlen($rand) < 32)
- {
- $rand .= mt_rand(0, mt_getrandmax());
- }
-
- $rand = $this->hash($rand);
-
- $enc = '';
- for ($i = 0; $i < strlen($string); $i++)
- {
- $enc .= substr($rand, ($i % strlen($rand)), 1).(substr($rand, ($i % strlen($rand)), 1) ^ substr($string, $i, 1));
- }
-
- return $this->_xor_merge($enc, $key);
- }
-
- // --------------------------------------------------------------------
-
- /**
* XOR Decode
*
* Takes an encoded string and key as input and generates the
@@ -544,4 +497,4 @@ class CI_Encrypt {
// END CI_Encrypt class
/* End of file Encrypt.php */
-/* Location: ./system/libraries/Encrypt.php */ \ No newline at end of file
+/* Location: ./system/libraries/Encrypt.php */
diff --git a/user_guide/libraries/encryption.html b/user_guide/libraries/encryption.html
index cd59a6c30..4331372a3 100644
--- a/user_guide/libraries/encryption.html
+++ b/user_guide/libraries/encryption.html
@@ -58,11 +58,8 @@ Encryption Class
<h1>Encryption Class</h1>
-<p>The Encryption Class provides two-way data encryption. It uses a scheme that either compiles
-the message using a randomly hashed bitwise XOR encoding scheme, or is encrypted using
-the Mcrypt library. If Mcrypt is not available on your server the encoded message will
-still provide a reasonable degree of security for encrypted sessions or other such "light" purposes.
-If Mcrypt is available, you'll be provided with a high degree of security appropriate for storage.</p>
+<p>The Encryption Class provides two-way data encryption. It is encrypted using
+the Mcrypt library. The Encryption Class requires the Mcrypt extension to run.</p>
<h2>Setting your Key</h2>
@@ -221,4 +218,4 @@ Next Topic:&nbsp;&nbsp;<a href="file_uploading.html">File Uploading Class</a>
</div>
</body>
-</html> \ No newline at end of file
+</html>
diff --git a/user_guide/libraries/sessions.html b/user_guide/libraries/sessions.html
index 1b7b73ab9..989170a45 100644
--- a/user_guide/libraries/sessions.html
+++ b/user_guide/libraries/sessions.html
@@ -71,6 +71,8 @@ generates its own session data, offering more flexibility for developers.</p>
<p class="important"><strong>Note:</strong> Even if you are not using encrypted sessions, you must set
an <a href="./encryption.html">encryption key</a> in your config file which is used to aid in preventing session data manipulation.</p>
+<p class="important"><strong>Note:</strong> The Session class relies on the Encryption class, so you must have Mcrypt extension installed</p>
+
<h2>Initializing a Session</h2>
<p>Sessions will typically run globally with each page load, so the session class must either be
@@ -338,4 +340,4 @@ Next Topic:&nbsp;&nbsp;<a href="trackback.html">Trackback Class</a>
</div>
</body>
-</html> \ No newline at end of file
+</html>