zend-filter icon indicating copy to clipboard operation
zend-filter copied to clipboard

Published 20 hours ago verified publisher icon zendframework

Bugfix Version jump probably has a BC (from 2.7.1 to 2.7.2)

Open null9beta opened this issue 7 years ago • 4 comments

Hi Zend-Filter Team,

unfortunately the last bugfix update seems to contain a BC.

This is the diff i am talking about. https://github.com/zendframework/zend-filter/commit/76a6967a1ca5fc5f27bdea708451b1c851b1d72d#diff-d178b1651bd6efe807b184425f956970

The commit message actually just says "Ensure tests run against all PHP versions" but in fact in the file src/Encrypt/BlockCipher.php in line 66 and then 68 there is a breaking change.

Background:

  • we are using Zend-Crypt v3.1.0 already for quite a while.
  • we are using Zend-Filter as well (lastest before the update in v2.7.1)
  • we are using mcrypt to encrypt strings (with rijndael-128 as the algorithm)

The Problem:

  • with the v2.7.2 (bugfix version) the $cipherType was changed from hardcoded mcrypt to a value that is fetched from the SymmetricPluginManager in the file mentioned above
  • i am talking about those lines
$cipherPluginManager = CryptBlockCipher::getSymmetricPluginManager();
$cipherType = $cipherPluginManager->has('openssl') ? 'openssl' : 'mcrypt';
  • the problem is that $cipherPluginManager->has('openssl') will always return true if you use Zend-Crypt > v3
  • the real problem derives from that because there is no setting to tell the SymmetricPluginManager or the BlockChiper class which cipherType to use but it is implicitly set

The Result:

  • as a result whenever the Crypt class is loaded with the algorithm we use (rijndael-128) it will fail because the openssl implementation does not contain this algo in the $encryptionAlgosproperty
  • it fails because this particular algo can only be found in the mcrypt class

Possible Solution:

  • have a possibility to let the user decide which cipherType to use
  • the default might still be set to openssl but it would be really helpful to have the possibility to override that, e.g. from within the global config

Thats my report for now. Shall i create a PullRequest for a potential change including setting the desired cipherType from the config?

Thanks in advance.

null9beta avatar May 30 '17 10:05 null9beta

@null9beta

the problem is that $cipherPluginManager->has('openssl') will always return true if you use Zend-Crypt > v3

Right.

the real problem derives from that because there is no setting to tell the SymmetricPluginManager or the BlockChiper class which cipherType to use but it is implicitly set

You can set your own SymmetricPluginManager.

Thanks for reporting!

froschdesign avatar May 30 '17 10:05 froschdesign

@froschdesign First of all thanks for getting back that quick. You are right. I did not recognize it can explicitly set the SymmetricPluginManager like that. Thanks. That definitely will solve it for the moment.

null9beta avatar May 30 '17 15:05 null9beta

@froschdesign What about this issue? It has milestone 2.7.3 but I don't think so it's going to be released as we already have 2.8.0 and this problem seems to be not resolved there...

michalbundyra avatar Apr 12 '18 08:04 michalbundyra

This repository has been closed and moved to laminas/laminas-filter; a new issue has been opened at https://github.com/laminas/laminas-filter/issues/8.

weierophinney avatar Dec 31 '19 22:12 weierophinney