diff options
Diffstat (limited to 'user_guide_src')
-rw-r--r-- | user_guide_src/source/changelog.rst | 15 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_200.rst | 6 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_220.rst | 13 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 11 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_320.rst | 1 | ||||
-rw-r--r-- | user_guide_src/source/libraries/encrypt.rst | 198 | ||||
-rw-r--r-- | user_guide_src/source/libraries/encryption.rst | 4 |
7 files changed, 24 insertions, 224 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index b9a9e2015..5d98e7554 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -37,6 +37,7 @@ Release Date: Not Released - Libraries + - Removed previously deprecated *Encrypt Library*. - Removed previously deprecated *Cart Library*. - Removed previously deprecated *Javascript Library* (it was always experimental in the first place). - Removed previously deprecated ``anchor_class`` option from :doc:`Pagination Library <libraries/pagination>`. @@ -368,10 +369,10 @@ Release Date: Mar 20, 2017 - **Security** - Fixed a header injection vulnerability in :doc:`common function <general/common_functions>` :php:func:`set_status_header()` under Apache (thanks to Guillermo Caminer from `Flowgate <https://flowgate.net/>`_). - - Fixed byte-safety issues in :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) when ``mbstring.func_overload`` is enabled. + - Fixed byte-safety issues in **Encrypt Library** (DEPRECATED) when ``mbstring.func_overload`` is enabled. - Fixed byte-safety issues in :doc:`Encryption Library <libraries/encryption>` when ``mbstring.func_overload`` is enabled. - Fixed byte-safety issues in :doc:`compatibility functions <general/compatibility_functions>` ``password_hash()``, ``hash_pbkdf2()`` when ``mbstring.func_overload`` is enabled. - - Updated :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) to call ``mcrypt_create_iv()`` with ``MCRYPT_DEV_URANDOM``. + - Updated **Encrypt Library** (DEPRECATED) to call ``mcrypt_create_iv()`` with ``MCRYPT_DEV_URANDOM``. - General Changes @@ -1079,9 +1080,9 @@ Release Date: March 30, 2015 - Libraries - - Added a new :doc:`Encryption Library <libraries/encryption>` to replace the old, largely insecure :doc:`Encrypt Library <libraries/encrypt>`. + - Added a new :doc:`Encryption Library <libraries/encryption>` to replace the old, largely insecure **Encrypt Library**. - - :doc:`Encrypt Library <libraries/encrypt>` changes include: + - **Encrypt Library** changes include: - Deprecated the library in favor of the new :doc:`Encryption Library <libraries/encryption>`. - Added support for hashing algorithms other than SHA1 and MD5. @@ -1462,7 +1463,7 @@ Bug fixes for 3.0 - Fixed a bug (#1264) - :doc:`Database Forge <database/forge>` and :doc:`Database Utilities <database/utilities>` didn't update/reset the databases and tables list cache when a table or a database is created, dropped or renamed. - Fixed a bug (#7) - :doc:`Query Builder <database/query_builder>` method ``join()`` only escaped one set of conditions. - Fixed a bug (#1321) - ``CI_Exceptions`` couldn't find the *errors/* directory in some cases. -- Fixed a bug (#1202) - :doc:`Encrypt Library <libraries/encrypt>` ``encode_from_legacy()`` didn't set back the encrypt mode on failure. +- Fixed a bug (#1202) - **Encrypt Library** ``encode_from_legacy()`` didn't set back the encrypt mode on failure. - Fixed a bug (#145) - :doc:`Database Class <database/index>` method ``compile_binds()`` failed when the bind marker was present in a literal string within the query. - Fixed a bug in :doc:`Query Builder <database/query_builder>` method ``protect_identifiers()`` where if passed along with the field names, operators got escaped as well. - Fixed a bug (#10) - :doc:`URI Library <libraries/uri>` internal method ``_detect_uri()`` failed with paths containing a colon. @@ -1632,7 +1633,7 @@ Release Date: June 2, 2014 - General Changes - - Security: :doc:`Encrypt Library <libraries/encrypt>` method ``xor_encode()`` has been removed. The Encrypt Class now requires the Mcrypt extension to be installed. + - Security: **Encrypt Library** method ``xor_encode()`` has been removed. The Encrypt Class now requires the Mcrypt extension to be installed. - Security: The :doc:`Session Library <libraries/sessions>` now uses HMAC authentication instead of a simple MD5 checksum. Bug fixes for 2.2.0 @@ -2241,7 +2242,7 @@ Hg Tag: v2.0.0 - Documented append_output() in the :doc:`Output Class <libraries/output>`. - Documented a second argument in the decode() function for the - :doc:`Encrypt Class <libraries/encrypt>`. + **Encrypt Class**. - Documented db->close(). - Updated the router to support a default route with any number of segments. diff --git a/user_guide_src/source/installation/upgrade_200.rst b/user_guide_src/source/installation/upgrade_200.rst index 03b8ff4ac..96256b13a 100644 --- a/user_guide_src/source/installation/upgrade_200.rst +++ b/user_guide_src/source/installation/upgrade_200.rst @@ -64,9 +64,7 @@ string using the improved methods. This will enable you to easily replace stale encrypted data with fresh in your applications, either on the fly or en masse. -Please read :doc:`how to use this -method <../libraries/encrypt>` in the Encrypt library -documentation. +Please read how to use this in the Encrypt library documentation. Step 5: Remove loading calls for the compatibility helper. ========================================================== @@ -145,4 +143,4 @@ The following files have been changed: The following files have been added: - foreign_chars.php -- profiler.php
\ No newline at end of file +- profiler.php diff --git a/user_guide_src/source/installation/upgrade_220.rst b/user_guide_src/source/installation/upgrade_220.rst index 489dd6312..c87148ca1 100644 --- a/user_guide_src/source/installation/upgrade_220.rst +++ b/user_guide_src/source/installation/upgrade_220.rst @@ -2,12 +2,11 @@ Upgrading from 2.1.4 to 2.2.x ############################# -.. note:: The :doc:`Encrypt Class </libraries/encrypt>` now requires the - Mcrypt extension. If you were previously using the Encrypt Class - without Mcrypt, then this is a breaking change. You must install - the Mcrypt extension in order to upgrade. For information on - installing Mcrypt please see the PHP `documentation - <https://secure.php.net/manual/en/mcrypt.setup.php>`. +.. note:: The **Encrypt Class** now requires the Mcrypt extension. If you + were previously using the Encrypt Class without Mcrypt, then this + is a breaking change. You must install the Mcrypt extension in + order to upgrade. For information on installing Mcrypt please see + the PHP `documentation <https://secure.php.net/manual/en/mcrypt.setup.php>`. Before performing an update you should take your site offline by replacing the index.php file with a static one. @@ -18,4 +17,4 @@ Step 1: Update your CodeIgniter files Replace all files and directories in your "system" folder. .. note:: If you have any custom developed files in these folders please - make copies of them first.
\ No newline at end of file + make copies of them first. diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 188144844..03a7b579c 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -520,7 +520,7 @@ The SHA1 library The previously deprecated SHA1 library has been removed, alter your code to use PHP's native ``sha1()`` function to generate a SHA1 hash. -Additionally, the ``sha1()`` method in the :doc:`Encrypt Library <../libraries/encrypt>` has been removed. +Additionally, the ``sha1()`` method in the **Encrypt Library** has been removed. The EXT constant ================ @@ -541,17 +541,16 @@ Also, the previously deprecated ``js_insert_smiley()`` (since version 1.7.2) is The Encrypt library =================== -Following numerous vulnerability reports, the :doc:`Encrypt Library <../libraries/encrypt>` has -been deprecated and a new, :doc:`Encryption Library <../libraries/encryption>` is added to take -its place. +Following numerous vulnerability reports, the **Encrypt Library** has been deprecated and a +new, :doc:`Encryption Library <../libraries/encryption>` is added to take its place. The new library requires either the `MCrypt extension <https://secure.php.net/mcrypt>`_ (and /dev/urandom availability) or PHP 5.3.3 and the `OpenSSL extension <https://secure.php.net/openssl>`_. While this might be rather inconvenient, it is a requirement that allows us to have properly implemented cryptographic functions. -.. note:: The :doc:`Encrypt Library <../libraries/encrypt>` is still available for the purpose - of keeping backwards compatibility. +.. note:: The **Encrypt Library** is still available for the purpose of keeping + backwards compatibility. .. important:: You are strongly encouraged to switch to the new :doc:`Encryption Library <../libraries/encryption>` as soon as possible! diff --git a/user_guide_src/source/installation/upgrade_320.rst b/user_guide_src/source/installation/upgrade_320.rst index 368871d7d..c70ff707c 100644 --- a/user_guide_src/source/installation/upgrade_320.rst +++ b/user_guide_src/source/installation/upgrade_320.rst @@ -222,6 +222,7 @@ CodeIgniter versions that have been removed in 3.2.0: - ``read_file()`` :doc:`File Helper <../helpers/file_helper>` function (use ``file_get_contents()`` instead) - ``form_prep()`` :doc:`Form Helper <../helpers/form_helper>` function (use :php:func:`html_escape()` instead) +- The entire *Encrypt Library* (the newer :doc:`Encryption Library <../libraries/encryption>` is still available) - The entire *Cart Library* (an archived version is available on GitHub: `bcit-ci/ci3-cart-library <https://github.com/bcit-ci/ci3-cart-library>`_) - The entire *Javascript Library* (it was always experimental in the first place) diff --git a/user_guide_src/source/libraries/encrypt.rst b/user_guide_src/source/libraries/encrypt.rst deleted file mode 100644 index 10893b901..000000000 --- a/user_guide_src/source/libraries/encrypt.rst +++ /dev/null @@ -1,198 +0,0 @@ -############# -Encrypt Class -############# - -The Encrypt Class provides two-way data encryption. It encrypted using -the Mcrypt PHP extension, which is required for the Encrypt Class to run. - -.. important:: This library has been DEPRECATED and is only kept for - backwards compatibility. Please use the new :doc:`Encryption Library - <encryption>`. - -.. contents:: - :local: - -.. raw:: html - - <div class="custom-index container"></div> - -************************* -Using the Encrypt Library -************************* - -Setting your Key -================ - -A *key* is a piece of information that controls the cryptographic -process and permits an encrypted string to be decoded. In fact, the key -you chose will provide the **only** means to decode data that was -encrypted with that key, so not only must you choose the key carefully, -you must never change it if you intend use it for persistent data. - -It goes without saying that you should guard your key carefully. Should -someone gain access to your key, the data will be easily decoded. If -your server is not totally under your control it's impossible to ensure -key security so you may want to think carefully before using it for -anything that requires high security, like storing credit card numbers. - -To take maximum advantage of the encryption algorithm, your key should -be 32 characters in length (256 bits). The key should be as random a -string as you can concoct, with numbers and uppercase and lowercase -letters. Your key should **not** be a simple text string. In order to be -cryptographically secure it needs to be as random as possible. - -Your key can be either stored in your **application/config/config.php**, or -you can design your own storage mechanism and pass the key dynamically -when encoding/decoding. - -To save your key to your **application/config/config.php**, open the file -and set:: - - $config['encryption_key'] = "YOUR KEY"; - -Message Length -============== - -It's important for you to know that the encoded messages the encryption -function generates will be approximately 2.6 times longer than the -original message. For example, if you encrypt the string "my super -secret data", which is 21 characters in length, you'll end up with an -encoded string that is roughly 55 characters (we say "roughly" because -the encoded string length increments in 64 bit clusters, so it's not -exactly linear). Keep this information in mind when selecting your data -storage mechanism. Cookies, for example, can only hold 4K of -information. - -Initializing the Class -====================== - -Like most other classes in CodeIgniter, the Encrypt class is -initialized in your controller using the ``$this->load->library()`` -method:: - - $this->load->library('encrypt'); - -Once loaded, the Encrypt library object will be available using:: - - $this->encrypt - -*************** -Class Reference -*************** - -.. php:class:: CI_Encrypt - - .. php:method:: encode($string[, $key = '']) - - :param string $string: Data to encrypt - :param string $key: Encryption key - :returns: Encrypted string - :rtype: string - - Performs the data encryption and returns it as a string. Example:: - - $msg = 'My secret message'; - - $encrypted_string = $this->encrypt->encode($msg); - - You can optionally pass your encryption key via the second parameter if - you don't want to use the one in your config file:: - - $msg = 'My secret message'; - $key = 'super-secret-key'; - - $encrypted_string = $this->encrypt->encode($msg, $key); - - .. php:method:: decode($string[, $key = '']) - - :param string $string: String to decrypt - :param string $key: Encryption key - :returns: Plain-text string - :rtype: string - - Decrypts an encoded string. Example:: - - $encrypted_string = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84'; - - $plaintext_string = $this->encrypt->decode($encrypted_string); - - You can optionally pass your encryption key via the second parameter if - you don't want to use the one in your config file:: - - $msg = 'My secret message'; - $key = 'super-secret-key'; - - $encrypted_string = $this->encrypt->decode($msg, $key); - - .. php:method:: set_cipher($cipher) - - :param int $cipher: Valid PHP MCrypt cypher constant - :returns: CI_Encrypt instance (method chaining) - :rtype: CI_Encrypt - - Permits you to set an Mcrypt cipher. By default it uses - ``MCRYPT_RIJNDAEL_256``. Example:: - - $this->encrypt->set_cipher(MCRYPT_BLOWFISH); - - Please visit php.net for a list of `available ciphers <https://secure.php.net/mcrypt>`_. - - If you'd like to manually test whether your server supports MCrypt you - can use:: - - echo extension_loaded('mcrypt') ? 'Yup' : 'Nope'; - - .. php:method:: set_mode($mode) - - :param int $mode: Valid PHP MCrypt mode constant - :returns: CI_Encrypt instance (method chaining) - :rtype: CI_Encrypt - - Permits you to set an Mcrypt mode. By default it uses **MCRYPT_MODE_CBC**. - Example:: - - $this->encrypt->set_mode(MCRYPT_MODE_CFB); - - Please visit php.net for a list of `available modes <https://secure.php.net/mcrypt>`_. - - .. php:method:: encode_from_legacy($string[, $legacy_mode = MCRYPT_MODE_ECB[, $key = '']]) - - :param string $string: String to encrypt - :param int $legacy_mode: Valid PHP MCrypt cipher constant - :param string $key: Encryption key - :returns: Newly encrypted string - :rtype: string - - Enables you to re-encode data that was originally encrypted with - CodeIgniter 1.x to be compatible with the Encrypt library in - CodeIgniter 2.x. It is only necessary to use this method if you have - encrypted data stored permanently such as in a file or database and are - on a server that supports Mcrypt. "Light" use encryption such as - encrypted session data or transitory encrypted flashdata require no - intervention on your part. However, existing encrypted Sessions will be - destroyed since data encrypted prior to 2.x will not be decoded. - - .. important:: - **Why only a method to re-encode the data instead of maintaining legacy - methods for both encoding and decoding?** The algorithms in the - Encrypt library have improved in CodeIgniter 2.x both for performance - and security, and we do not wish to encourage continued use of the older - methods. You can of course extend the Encryption library if you wish and - replace the new methods with the old and retain seamless compatibility - with CodeIgniter 1.x encrypted data, but this a decision that a - developer should make cautiously and deliberately, if at all. - - :: - - $new_data = $this->encrypt->encode_from_legacy($old_encrypted_string); - - ====================== =============== ======================================================================= - Parameter Default Description - ====================== =============== ======================================================================= - **$orig_data** n/a The original encrypted data from CodeIgniter 1.x's Encryption library - **$legacy_mode** MCRYPT_MODE_ECB The Mcrypt mode that was used to generate the original encrypted data. - CodeIgniter 1.x's default was MCRYPT_MODE_ECB, and it will assume that - to be the case unless overridden by this parameter. - **$key** n/a The encryption key. This it typically specified in your config file as - outlined above. - ====================== =============== =======================================================================
\ No newline at end of file diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst index 833a56c09..643818aa4 100644 --- a/user_guide_src/source/libraries/encryption.rst +++ b/user_guide_src/source/libraries/encryption.rst @@ -280,8 +280,8 @@ Configuring the library ======================= For usability, performance, but also historical reasons tied to our old -:doc:`Encrypt Class <encrypt>`, the Encryption library is designed to -use repeatedly the same driver, encryption cipher, mode and key. +**Encrypt Class**, the Encryption library is designed to use repeatedly +the same driver, encryption cipher, mode and key. As noted in the "Default behavior" section above, this means using an auto-detected driver (OpenSSL has a higher priority), the AES-128 ciper |