summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-05-31 20:20:26 +0200
committerAndrey Andreev <narf@devilix.net>2014-05-31 20:20:26 +0200
commitbebf3a0e3bce2be795accf13c49681d0c195f84d (patch)
tree4a0605760b69ad8839f2dd15b91a9344127259f2
parent657c43c142eb91f104fc86225309a8c3ebe3df12 (diff)
parent6eb77da2db93af893955b320a768054e9519dc81 (diff)
Merge branch 'develop' into feature/session
-rw-r--r--system/libraries/Encrypt.php59
-rw-r--r--user_guide_src/source/changelog.rst3
-rw-r--r--user_guide_src/source/libraries/encrypt.rst9
3 files changed, 16 insertions, 55 deletions
diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php
index f72bd2302..2541a4467 100644
--- a/system/libraries/Encrypt.php
+++ b/system/libraries/Encrypt.php
@@ -81,7 +81,11 @@ class CI_Encrypt {
*/
public function __construct()
{
- $this->_mcrypt_exists = function_exists('mcrypt_encrypt');
+ if (($this->_mcrypt_exists = function_exists('mcrypt_encrypt')) === FALSE)
+ {
+ show_error('The Encrypt library requires the Mcrypt extension.');
+ }
+
log_message('debug', 'Encrypt Class Initialized');
}
@@ -138,10 +142,10 @@ class CI_Encrypt {
* Encodes the message string using bitwise XOR encoding.
* The key is combined with a random hash, and then it
* too gets converted using XOR. The whole thing is then run
- * through mcrypt (if supported) using the randomized key.
- * The end result is a double-encrypted message string
- * that is randomized with each call to this function,
- * even if the supplied message and key are the same.
+ * through mcrypt using the randomized key. The end result
+ * is a double-encrypted message string that is randomized
+ * with each call to this function, even if the supplied
+ * message and key are the same.
*
* @param string the string to encode
* @param string the key
@@ -149,8 +153,7 @@ class CI_Encrypt {
*/
public function encode($string, $key = '')
{
- $method = ($this->_mcrypt_exists === TRUE) ? 'mcrypt_encode' : '_xor_encode';
- return base64_encode($this->$method($string, $this->get_key($key)));
+ return base64_encode($this->mcrypt_encode($string, $this->get_key($key)));
}
// --------------------------------------------------------------------
@@ -171,8 +174,7 @@ class CI_Encrypt {
return FALSE;
}
- $method = ($this->_mcrypt_exists === TRUE) ? 'mcrypt_decode' : '_xor_decode';
- return $this->$method(base64_decode($string), $this->get_key($key));
+ return $this->mcrypt_decode(base64_decode($string), $this->get_key($key));
}
// --------------------------------------------------------------------
@@ -194,12 +196,7 @@ class CI_Encrypt {
*/
public function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '')
{
- if ($this->_mcrypt_exists === FALSE)
- {
- log_message('error', 'Encoding from legacy is available only when Mcrypt is in use.');
- return FALSE;
- }
- elseif (preg_match('/[^a-zA-Z0-9\/\+=]/', $string))
+ if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string))
{
return FALSE;
}
@@ -230,38 +227,6 @@ class CI_Encrypt {
// --------------------------------------------------------------------
/**
- * XOR Encode
- *
- * Takes a plain-text string and key as input and generates an
- * encoded bit-string using XOR
- *
- * @param string
- * @param string
- * @return string
- */
- protected function _xor_encode($string, $key)
- {
- $rand = '';
- do
- {
- $rand .= mt_rand();
- }
- while (strlen($rand) < 32);
-
- $rand = $this->hash($rand);
-
- $enc = '';
- for ($i = 0, $ls = strlen($string), $lr = strlen($rand); $i < $ls; $i++)
- {
- $enc .= $rand[($i % $lr)].($rand[($i % $lr)] ^ $string[$i]);
- }
-
- return $this->_xor_merge($enc, $key);
- }
-
- // --------------------------------------------------------------------
-
- /**
* XOR Decode
*
* Takes an encoded string and key as input and generates the
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index e2b37561a..8492be289 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -726,7 +726,6 @@ Bug fixes for 3.0
- Fixed a bug (#2737) - :doc:`XML-RPC Library <libraries/xmlrpc>` used objects as array keys, which triggered E_NOTICE messages.
- Fixed a bug (#2729) - :doc:`Security Library <libraries/security>` internal method ``_validate_entities()`` used overly-intrusive ``preg_replace()`` patterns that produced false-positives.
- Fixed a bug (#2771) - :doc:`Security Library <libraries/security>` method ``xss_clean()`` didn't take into account HTML5 entities.
-- Fixed a bug in the :doc:`Session Library <libraries/sessions>` 'cookie' driver where authentication was not performed for encrypted cookies.
- Fixed a bug (#2856) - ODBC method ``affected_rows()`` passed an incorrect value to ``odbc_num_rows()``.
- Fixed a bug (#43) :doc:`Image Manipulation Library <libraries/image_lib>` method ``text_watermark()`` didn't properly determine watermark placement.
- Fixed a bug where :doc:`HTML Table Library <libraries/table>` ignored its *auto_heading* setting if headings were not already set.
@@ -743,6 +742,7 @@ Release Date: June 2, 2014
- General Changes
- Security: :doc:`Encrypt Library <libraries/encrypt>` method ``xor_encode()`` has been removed. The Encrypt Class now requires the Mcrypt extension to be installed.
+ - Security: The :doc:`Session Library <libraries/sessions>` now uses HMAC authentication instead of a simple MD5 checksum.
Bug fixes for 2.2.0
-------------------
@@ -751,6 +751,7 @@ Bug fixes for 2.2.0
- Fixed a bug (#696) - make ``oci_execute()`` calls inside ``num_rows()`` non-committing, since they are only there to reset which row is next in line for oci_fetch calls and thus don't need to be committed.
- Fixed a bug (#2689) - :doc:`Database Force <database/forge>` methods ``create_table()``, ``drop_table()`` and ``rename_table()`` produced broken SQL for tge 'sqlsrv' driver.
- Fixed a bug (#2427) - PDO :doc:`Database driver <database/index>` didn't properly check for query failures.
+- Fixed a bug in the :doc:`Session Library <libraries/sessions>` where authentication was not performed for encrypted cookies.
Version 2.1.4
=============
diff --git a/user_guide_src/source/libraries/encrypt.rst b/user_guide_src/source/libraries/encrypt.rst
index faff39975..6b65099a6 100644
--- a/user_guide_src/source/libraries/encrypt.rst
+++ b/user_guide_src/source/libraries/encrypt.rst
@@ -2,13 +2,8 @@
Encrypt Class
#############
-The Encrypt Class provides two-way data encryption. It uses a scheme
-that either compiles the message using a randomly hashed bitwise XOR
-encoding scheme, or is encrypted using the Mcrypt library. If Mcrypt is
-not available on your server the encoded message will still provide a
-reasonable degree of security for encrypted sessions or other such
-"light" purposes. If Mcrypt is available, you'll be provided with a high
-degree of security appropriate for storage.
+The Encrypt Class provides two-way data encryption. It encrypted using
+the Mcrypt PHP extension, which is required for the Encrypt Class to run.
.. important:: This library has been DEPRECATED and is only kept for
backwards compatibility. Please use the new :doc:`Encryption Library