This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
Closed
Fixed
Fixed
FS#1690 Inappropriate trim() in PMA_blowfish_decrypt
ACL & Authentication
-
2009-05-11 neil.steiner
If a user password ends with a space, auth_login() currently fails because PMA_blowfish_decrypt() uses trim($decrypt) inappropriately.
The PHP manual indicates that trim($str) without a second parameter will trim " ", \t, \n, \r, \0, and \x0B. PMA_blowfish_encrypt() has padded the blocks with \0, so I recommend only trimming trailing \0 characters from the decrypted block.
In rc2009-02-06, inc/blowfish.php line 563 currently reads:
return trim($decrypt);
I recommend changing that to:
return trim($decrypt, "\0");
It is unlikely that special characters other than spaces would appear at the end of a password, but PMA_blowfish_encrypt/decrypt might be used for more generic text, in which case support for these other characters would preserve symmetry. i.e. D(E($str) === $str at least unless $str has trailing \0 characters.
-
2009-05-26 andi
suggested patch applied
