About Security:cipher and Suhosin patch

Edgar Valarezo
Tue, 16 Mar 2010 16:32:14 -0700

Hi,

I was playing with cookies in my CakePHP powered LAMP box with the
Suhosin security patch, and I dicovered (better late than never) than
Suhosin add a srand() call before any rand(), so decrypt any text with
Security:cipher simply doesn't work. Thinking about that, maybe the
use of srand() and rand() in cipher method is wrong because is a hack
of the waited use (no random number but predictable one), so I rewrite
a new cipher method without any "random":


function cipher($text, $key = '') {
    $key .= Configure::read('Security.cipherSeed');

    $out = '';
    $textLength = strlen($text);
    $keyLength = strlen($key);
    $k = 0;

        for ($i = 0; $i < $textLength; $i++) {
        $seed = md5($key . $key[($k++) % $keyLength]);
        $mask = hexdec($seed[6] . $seed[9]); // :)
                $out .= chr(ord($text[$i]) ^ $mask);
        }

        return $out;
}

Perhaps it will help to somebody.

Regards

Check out the new CakePHP Questions site http://cakeqs.org and help others with 
their CakePHP related questions.

You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en

Reply via email to