Hi,
I was playing with cookies in my CakePHP powered LAMP box with the
Suhosin security patch, and I dicovered (better late than never) than
Suhosin add a srand() call before any rand(), so decrypt any text with
Security:cipher simply doesn't work. Thinking about that, maybe the
use of srand() and rand() in cipher method is wrong because is a hack
of the waited use (no random number but predictable one), so I rewrite
a new cipher method without any "random":
function cipher($text, $key = '') {
$key .= Configure::read('Security.cipherSeed');
$out = '';
$textLength = strlen($text);
$keyLength = strlen($key);
$k = 0;
for ($i = 0; $i < $textLength; $i++) {
$seed = md5($key . $key[($k++) % $keyLength]);
$mask = hexdec($seed[6] . $seed[9]); // :)
$out .= chr(ord($text[$i]) ^ $mask);
}
return $out;
}
Perhaps it will help to somebody.
Regards
Check out the new CakePHP Questions site http://cakeqs.org and help others with
their CakePHP related questions.
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected] For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
