View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0022708 | mantisbt | code cleanup | public | 2017-04-11 05:53 | 2017-04-11 06:46 |
Reporter | atrol | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Summary | 0022708: Remove usage of deprecated function mcrypt_create_iv | ||||
Description | Remove usage of deprecated function mcrypt_create_iv mcrypt_create_iv is deprecated in PHP 7.1 [1] Warnings are generated, depending on operating system and setting error_reporting. e.g. it seems that our first choice to use openssl_random_pseudo_bytes is typically not available on Windows [2] [1] http://php.net/manual/en/function.mcrypt-create-iv.php | ||||
Tags | No tags attached. | ||||
I did a quick research on this, and it appears that the use of openssl_random_pseudo_bytes() for crypto purposes is no longer recommended [1][2], and it's also worth mentioning that there's been a security issue with this function [3] (fixed in 5.6.12, 5.5.28, 5.4.44). I would suggest that we change crypto_generate_random_string() to
We could also decide to bundle https://github.com/paragonie/random_compat for older PHP versions, this way we could further simplify the code in crypto_generate_random_string() |
|