View Issue Details

IDProjectCategoryView StatusLast Update
0022708mantisbtcode cleanuppublic2017-04-11 06:46
Reporteratrol Assigned To 
Status confirmedResolutionopen 
Summary0022708: Remove usage of deprecated function mcrypt_create_iv

Remove usage of deprecated function mcrypt_create_iv

mcrypt_create_iv is deprecated in PHP 7.1 [1]
We use it in function crypto_generate_random_string

Warnings are generated, depending on operating system and setting error_reporting.

e.g. it seems that our first choice to use openssl_random_pseudo_bytes is typically not available on Windows [2]


TagsNo tags attached.




2017-04-11 06:46

developer   ~0056493

I did a quick research on this, and it appears that the use of openssl_random_pseudo_bytes() for crypto purposes is no longer recommended [1][2], and it's also worth mentioning that there's been a security issue with this function [3] (fixed in 5.6.12, 5.5.28, 5.4.44).

I would suggest that we change crypto_generate_random_string() to

We could also decide to bundle for older PHP versions, this way we could further simplify the code in crypto_generate_random_string()