Merge pull request #3071 from EllisLab/bug/xor_encode

Bug/xor encode

3 files changed, 21 insertions, 69 deletions

diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php
index b30a8cf0b..b6758d98f 100644
--- a/system/libraries/Encrypt.php
+++ b/system/libraries/Encrypt.php
@@ -18,7 +18,7 @@
 /**
  * CodeIgniter Encryption Class
  *
- * Provides two-way keyed encoding using XOR Hashing and Mcrypt
+ * Provides two-way keyed encoding using Mcrypt
  *
  * @package		CodeIgniter
  * @subpackage	Libraries
@@ -45,6 +45,12 @@ class CI_Encrypt {
 	{
 		$this->CI =& get_instance();
 		$this->_mcrypt_exists = ( ! function_exists('mcrypt_encrypt')) ? FALSE : TRUE;
+
+		if ($this->_mcrypt_exists === FALSE)
+		{
+			show_error('The Encrypt library requires the Mcrypt extension.');
+		}
+
 		log_message('debug', "Encrypt Class Initialized");
 	}
 
@@ -103,10 +109,10 @@ class CI_Encrypt {
 	 * Encodes the message string using bitwise XOR encoding.
 	 * The key is combined with a random hash, and then it
 	 * too gets converted using XOR. The whole thing is then run
-	 * through mcrypt (if supported) using the randomized key.
-	 * The end result is a double-encrypted message string
-	 * that is randomized with each call to this function,
-	 * even if the supplied message and key are the same.
+	 * through mcrypt using the randomized key. The end result
+	 * is a double-encrypted message string that is randomized
+	 * with each call to this function, even if the supplied
+	 * message and key are the same.
 	 *
 	 * @access	public
 	 * @param	string	the string to encode
@@ -116,15 +122,7 @@ class CI_Encrypt {
 	function encode($string, $key = '')
 	{
 		$key = $this->get_key($key);
-
-		if ($this->_mcrypt_exists === TRUE)
-		{
-			$enc = $this->mcrypt_encode($string, $key);
-		}
-		else
-		{
-			$enc = $this->_xor_encode($string, $key);
-		}
+		$enc = $this->mcrypt_encode($string, $key);
 
 		return base64_encode($enc);
 	}
@@ -152,16 +150,9 @@ class CI_Encrypt {
 
 		$dec = base64_decode($string);
 
-		if ($this->_mcrypt_exists === TRUE)
-		{
-			if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
-			{
-				return FALSE;
-			}
-		}
-		else
+		if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
 		{
-			$dec = $this->_xor_decode($dec, $key);
+			return FALSE;
 		}
 
 		return $dec;
@@ -187,12 +178,6 @@ class CI_Encrypt {
 	 */
 	function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '')
 	{
-		if ($this->_mcrypt_exists === FALSE)
-		{
-			log_message('error', 'Encoding from legacy is available only when Mcrypt is in use.');
-			return FALSE;
-		}
-
 		// decode it first
 		// set mode temporarily to what it was when string was encoded with the legacy
 		// algorithm - typically MCRYPT_MODE_ECB
@@ -225,38 +210,6 @@ class CI_Encrypt {
 	// --------------------------------------------------------------------
 
 	/**
-	 * XOR Encode
-	 *
-	 * Takes a plain-text string and key as input and generates an
-	 * encoded bit-string using XOR
-	 *
-	 * @access	private
-	 * @param	string
-	 * @param	string
-	 * @return	string
-	 */
-	function _xor_encode($string, $key)
-	{
-		$rand = '';
-		while (strlen($rand) < 32)
-		{
-			$rand .= mt_rand(0, mt_getrandmax());
-		}
-
-		$rand = $this->hash($rand);
-
-		$enc = '';
-		for ($i = 0; $i < strlen($string); $i++)
-		{
-			$enc .= substr($rand, ($i % strlen($rand)), 1).(substr($rand, ($i % strlen($rand)), 1) ^ substr($string, $i, 1));
-		}
-
-		return $this->_xor_merge($enc, $key);
-	}
-
-	// --------------------------------------------------------------------
-
-	/**
 	 * XOR Decode
 	 *
 	 * Takes an encoded string and key as input and generates the
@@ -544,4 +497,4 @@ class CI_Encrypt {
 // END CI_Encrypt class
 
 /* End of file Encrypt.php */
-/* Location: ./system/libraries/Encrypt.php */
\ No newline at end of file
+/* Location: ./system/libraries/Encrypt.php */
diff --git a/user_guide/libraries/encryption.html b/user_guide/libraries/encryption.html
index cd59a6c30..4331372a3 100644
--- a/user_guide/libraries/encryption.html
+++ b/user_guide/libraries/encryption.html
@@ -58,11 +58,8 @@ Encryption Class
 
 <h1>Encryption Class</h1>
 
-<p>The Encryption Class provides two-way data encryption.  It uses a scheme that either compiles
-the message using a randomly hashed bitwise XOR encoding scheme, or is encrypted using
-the Mcrypt library.  If Mcrypt is not available on your server the encoded message will
-still provide a reasonable degree of security for encrypted sessions or other such "light" purposes.
-If Mcrypt is available, you'll be provided with a high degree of security appropriate for storage.</p>
+<p>The Encryption Class provides two-way data encryption.  It is encrypted using
+the Mcrypt library.  The Encryption Class requires the Mcrypt extension to run.</p>
 
 
 <h2>Setting your Key</h2>
@@ -221,4 +218,4 @@ Next Topic:&nbsp;&nbsp;<a href="file_uploading.html">File Uploading Class</a>
 </div>
 
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/user_guide/libraries/sessions.html b/user_guide/libraries/sessions.html
index 1b7b73ab9..989170a45 100644
--- a/user_guide/libraries/sessions.html
+++ b/user_guide/libraries/sessions.html
@@ -71,6 +71,8 @@ generates its own session data, offering more flexibility for developers.</p>
 <p class="important"><strong>Note:</strong> Even if you are not using encrypted sessions, you must set
 an <a href="./encryption.html">encryption key</a> in your config file which is used to aid in preventing session data manipulation.</p>
 
+<p class="important"><strong>Note:</strong> The Session class relies on the Encryption class, so you must have Mcrypt extension installed</p>
+
 <h2>Initializing a Session</h2>
 
 <p>Sessions will typically run globally with each page load, so the session class must either be
@@ -338,4 +340,4 @@ Next Topic:&nbsp;&nbsp;<a href="trackback.html">Trackback Class</a>
 </div>
 
 </body>
-</html>
\ No newline at end of file
+</html>