From bfe711230878bd232955748ddba73e094c15ada7 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sat, 27 Jun 2015 19:57:35 +0200 Subject: [PATCH 1/5] Fix: change encrypt/decrypt method for avoid division by zero --- htdocs/core/class/cookie.class.php | 30 +++++++++++------------------- 1 file changed, 11 insertions(+), 19 deletions(-) diff --git a/htdocs/core/class/cookie.class.php b/htdocs/core/class/cookie.class.php index bcca9fcfa73..d2677543252 100644 --- a/htdocs/core/class/cookie.class.php +++ b/htdocs/core/class/cookie.class.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2009-2015 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -28,7 +28,9 @@ */ class DolCookie { - var $myKey; + private $myKey; + private $iv; + var $myCookie; var $myValue; var $myExpire; @@ -45,7 +47,8 @@ class DolCookie */ function __construct($key = '') { - $this->myKey = $key; + $this->myKey = hash('sha256', $key, TRUE); + $this->iv = md5(md5($this->myKey)); $this->cookiearray = array(); $this->cookie = ""; $this->myCookie = ""; @@ -60,14 +63,10 @@ class DolCookie */ function cryptCookie() { - if (!empty($this->myKey)) + if (!empty($this->myKey) && !empty($this->iv)) { $valuecrypt = base64_encode($this->myValue); - $max=dol_strlen($valuecrypt)-1; - for ($f=0 ; $f <= $max; $f++) - { - $this->cookie .= intval(ord($valuecrypt[$f]))*$this->myKey."|"; - } + $this->cookie = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->myKey, $valuecrypt, MCRYPT_MODE_CBC, $this->iv)); } else { @@ -84,17 +83,10 @@ class DolCookie */ function decryptCookie() { - if (!empty($this->myKey)) + if (!empty($this->myKey) && !empty($this->iv)) { - $this->cookiearray = explode("|",$_COOKIE[$this->myCookie]); - $this->myValue = "" ; - $num = (count($this->cookiearray) - 2); - for ($f = 0; $f <= $num; $f++) - { - if (!empty($this->myKey)) { - $this->myValue .= strval(chr($this->cookiearray[$f]/$this->myKey)); - } - } + $this->cookie = $_COOKIE[$this->myCookie]; + $this->myValue = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->myKey, base64_decode($this->cookie), MCRYPT_MODE_CBC, $this->iv)); return(base64_decode($this->myValue)); } From dfae24ded9b245154222a4ebe959fbe4e965da83 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sat, 27 Jun 2015 20:20:27 +0200 Subject: [PATCH 2/5] Fix: remove unused var --- htdocs/core/class/cookie.class.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/htdocs/core/class/cookie.class.php b/htdocs/core/class/cookie.class.php index d2677543252..e99975bbf98 100644 --- a/htdocs/core/class/cookie.class.php +++ b/htdocs/core/class/cookie.class.php @@ -37,7 +37,6 @@ class DolCookie var $myPath; var $myDomain; var $mySecure; - var $cookiearray; var $cookie; /** @@ -49,7 +48,6 @@ class DolCookie { $this->myKey = hash('sha256', $key, TRUE); $this->iv = md5(md5($this->myKey)); - $this->cookiearray = array(); $this->cookie = ""; $this->myCookie = ""; $this->myValue = ""; From bf9c7c8ef9c154cd2baa9d7bfbdf891ed751dcc6 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sat, 27 Jun 2015 20:26:40 +0200 Subject: [PATCH 3/5] Fix: add private/public function --- htdocs/core/class/cookie.class.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/core/class/cookie.class.php b/htdocs/core/class/cookie.class.php index e99975bbf98..f24029a9912 100644 --- a/htdocs/core/class/cookie.class.php +++ b/htdocs/core/class/cookie.class.php @@ -59,7 +59,7 @@ class DolCookie * * @return void */ - function cryptCookie() + private function cryptCookie() { if (!empty($this->myKey) && !empty($this->iv)) { @@ -79,7 +79,7 @@ class DolCookie * * @return string */ - function decryptCookie() + private function decryptCookie() { if (!empty($this->myKey) && !empty($this->iv)) { @@ -105,7 +105,7 @@ class DolCookie * @param int $secure 0 or 1 * @return void */ - function _setCookie($cookie, $value, $expire=0, $path="/", $domain="", $secure=0) + public function _setCookie($cookie, $value, $expire=0, $path="/", $domain="", $secure=0) { $this->myCookie = $cookie; $this->myValue = $value; @@ -125,7 +125,7 @@ class DolCookie * @param string $cookie Cookie name * @return string Decrypted value */ - function _getCookie($cookie) + public function _getCookie($cookie) { $this->myCookie = $cookie; From 5ac292f9ae779a7350485d1d7a39492f8c258b6f Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sat, 27 Jun 2015 20:32:19 +0200 Subject: [PATCH 4/5] Fix: Private member variable must be prefixed with an underscore --- htdocs/core/class/cookie.class.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/htdocs/core/class/cookie.class.php b/htdocs/core/class/cookie.class.php index f24029a9912..ddb1937ab78 100644 --- a/htdocs/core/class/cookie.class.php +++ b/htdocs/core/class/cookie.class.php @@ -28,8 +28,8 @@ */ class DolCookie { - private $myKey; - private $iv; + private $_myKey; + private $_iv; var $myCookie; var $myValue; @@ -46,8 +46,8 @@ class DolCookie */ function __construct($key = '') { - $this->myKey = hash('sha256', $key, TRUE); - $this->iv = md5(md5($this->myKey)); + $this->_myKey = hash('sha256', $key, TRUE); + $this->_iv = md5(md5($this->_myKey)); $this->cookie = ""; $this->myCookie = ""; $this->myValue = ""; @@ -61,10 +61,10 @@ class DolCookie */ private function cryptCookie() { - if (!empty($this->myKey) && !empty($this->iv)) + if (!empty($this->_myKey) && !empty($this->_iv)) { $valuecrypt = base64_encode($this->myValue); - $this->cookie = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->myKey, $valuecrypt, MCRYPT_MODE_CBC, $this->iv)); + $this->cookie = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->_myKey, $valuecrypt, MCRYPT_MODE_CBC, $this->_iv)); } else { @@ -81,10 +81,10 @@ class DolCookie */ private function decryptCookie() { - if (!empty($this->myKey) && !empty($this->iv)) + if (!empty($this->_myKey) && !empty($this->_iv)) { $this->cookie = $_COOKIE[$this->myCookie]; - $this->myValue = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->myKey, base64_decode($this->cookie), MCRYPT_MODE_CBC, $this->iv)); + $this->myValue = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->_myKey, base64_decode($this->cookie), MCRYPT_MODE_CBC, $this->_iv)); return(base64_decode($this->myValue)); } From 5efea745a1e588fd11c8f9a031f2fa4f123187e3 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Sat, 27 Jun 2015 20:37:22 +0200 Subject: [PATCH 5/5] Fix: Public method name must not be prefixed with an underscore --- htdocs/core/class/cookie.class.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/htdocs/core/class/cookie.class.php b/htdocs/core/class/cookie.class.php index ddb1937ab78..52385155c33 100644 --- a/htdocs/core/class/cookie.class.php +++ b/htdocs/core/class/cookie.class.php @@ -59,7 +59,7 @@ class DolCookie * * @return void */ - private function cryptCookie() + private function _cryptCookie() { if (!empty($this->_myKey) && !empty($this->_iv)) { @@ -79,7 +79,7 @@ class DolCookie * * @return string */ - private function decryptCookie() + private function _decryptCookie() { if (!empty($this->_myKey) && !empty($this->_iv)) { @@ -105,7 +105,7 @@ class DolCookie * @param int $secure 0 or 1 * @return void */ - public function _setCookie($cookie, $value, $expire=0, $path="/", $domain="", $secure=0) + public function setCookie($cookie, $value, $expire=0, $path="/", $domain="", $secure=0) { $this->myCookie = $cookie; $this->myValue = $value; @@ -116,7 +116,7 @@ class DolCookie //print 'key='.$this->myKey.' name='.$this->myCookie.' value='.$this->myValue.' expire='.$this->myExpire; - $this->cryptCookie(); + $this->_cryptCookie(); } /** @@ -125,11 +125,11 @@ class DolCookie * @param string $cookie Cookie name * @return string Decrypted value */ - public function _getCookie($cookie) + public function getCookie($cookie) { $this->myCookie = $cookie; - $decryptValue = $this->decryptCookie(); + $decryptValue = $this->_decryptCookie(); return $decryptValue; }