Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72900
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 39071 invoked from network); 2 Mar 2014 17:07:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Mar 2014 17:07:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org Linux 2.6
Received: from [82.113.146.227] ([82.113.146.227:49677] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 43/C1-27008-A5563135 for <internals@lists.php.net>; Sun, 02 Mar 2014 12:07:41 -0500
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id E0B8910D685;
	Sun,  2 Mar 2014 17:07:34 +0000 (GMT)
Date: Sun, 2 Mar 2014 12:07:34 -0500 (EST)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: Nikita Popov <nikita.ppv@gmail.com>
cc: PHP internals <internals@lists.php.net>
In-Reply-To: <CAF+90c-M+0-Rbqxx_MSK-3ffifS2tM68rztsSmOa0ovWek20Zw@mail.gmail.com>
Message-ID: <alpine.DEB.2.10.1403021203490.6896@whisky.home.derickrethans.nl>
References: <CAF+90c-M+0-Rbqxx_MSK-3ffifS2tM68rztsSmOa0ovWek20Zw@mail.gmail.com>
User-Agent: Alpine 2.10 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Stricter error handling in mcrypt extension
From: derick@php.net (Derick Rethans)

On Sun, 2 Mar 2014, Nikita Popov wrote:

> Hi internals!
> 
> I would like to add a number of additional error checks in
> php_mcrypt_do_crypt - which affects the mcrypt_encrypt, mcrypt_decrypt and
> mcrypt_{BLOCK_CHAINING_MODE} userland functions.
> 
> The proposed changes are:
>  * Throw a warning and return bool(false) if the IV size is invalid. The
> old behavior was to throw a warning and use a NUL-byte IV.
>  * Throw a warning and return bool(false) if no IV was specified, but the
> block chaining mode requires an IV. The old behavior was to throw a warning
> and use a NUL-byte IV.
>  * Throw a warning and return bool(false) if the key size is invalid. The
> old behavior was to **silently** pad the string to the next valid key size
> with NUL bytes or, if the key is too long, to throw a warning and truncate
> it to the maximum valid key size.
> 
> An implementation of these changes can be found in the PR
> https://github.com/php/php-src/pull/610.

I've added some comments, which those fixed, feel free to commit this.

cheers,
Derick

-- 
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug
Posted with an email client that doesn't mangle email: alpine