From: ungdi at hotmail dot com Operating system: Windows Server 2003 PHP version: 5.0.3 PHP Bug Type: OpenSSL related Bug description: openssl_pkcs7_encrypt(), data interception is too easy
Description: ------------ Currently, the openssl_pkcs7_encrypt() function as according to the documentation here: http://www.php.net/manual/en/function.openssl-pkcs7-encrypt.php Requires that the unencrypted input be a file already on the file system. This forces any PHP program having to output any form submission contents (destined to be an encrypted S/MIME e-mail) into the file system before encryption. After encryption is complete, it will be necessary to delete the file from the disk. This method makes it trivial to recover the unencrypted information from the file on the disk through an undelete command or access of the drive data. Also, this causes the function to expose the unencrypted data on the disk to the whole system temporarily. During this window where the data is being encrypted, after the unencrypted data has been written to a file, it allows other programs or users to access the file and its unencrypted contents making it trivial to intercept the data being encrypted. The function should be made to allow a string/data to be passed directly to the function without going through the file system. By allowing direct passing of the string to be encrypted to the openssl_pkcs7_encrypt() function, this decreases the surface area (possibility) and time frame in which someone can recover/access the unencrypted information. Reproduce code: --------------- Not applicable. Expected result: ---------------- Not applicable. Actual result: -------------- Not applicable. -- Edit bug report at http://bugs.php.net/?id=31945&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=31945&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=31945&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=31945&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=31945&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=31945&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=31945&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=31945&r=needscript Try newer version: http://bugs.php.net/fix.php?id=31945&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=31945&r=support Expected behavior: http://bugs.php.net/fix.php?id=31945&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=31945&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=31945&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=31945&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=31945&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=31945&r=dst IIS Stability: http://bugs.php.net/fix.php?id=31945&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=31945&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=31945&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=31945&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=31945&r=mysqlcfg
