View Issue Details

IDProjectCategoryView StatusLast Update
0032900mantisbtsecuritypublic2023-09-09 11:43
Reporteratrol Assigned Toatrol  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Target Version2.26.0Fixed in Version2.26.0 
Summary0032900: Use PHP random_bytes() instead of our custom crypto_generate_random_string function
Description

Starting with version 2.26.0 our minimum PHP version bill be 7.2.5, see 0027840

Function mcrypt_create_iv is not available in this PHP version, as it was deprecated in PHP 7.1.0, and removed in PHP 7.2.0
See mcrypt_create_iv documentation.

TagsNo tags attached.

Relationships

related to 0027840 resolveddregad Increase minimum PHP requirement to 7.2.5 

Activities

atrol

atrol

2023-09-03 10:09

developer   ~0068061

PR https://github.com/mantisbt/mantisbt/pull/1913

dregad

dregad

2023-09-03 11:59

developer   ~0068063

As mentioned in my PR review, a bigger refactoring is needed here, as crypto_api has been made nearly obsolete with the introduction of the random_bytes() function in PHP 7.

atrol

atrol

2023-09-05 15:36

developer   ~0068070

New PR https://github.com/mantisbt/mantisbt/pull/1917

dregad

dregad

2023-09-06 12:45

developer   ~0068074

Changed the Summary to reflect the fact that we're no longer just targeting removal of mcrypt_create_iv(), but doing the more in-depth refactoring I mentioned in 0032900:0068063, i.e. fully replacing our custom random data generating code in crypto_api.php by PHP's standard random_bytes() function.

Also changing the category to security, as this more closely reflects what this change is really about.

Related Changesets

MantisBT: master 0d4dc09e

2023-09-05 14:34

atrol


Details Diff
Use random_bytes() to get cryptographically secure random bytes

Fixes 0032900
Affected Issues
0032900
mod - admin/install.php Diff File
mod - core/crypto_api.php Diff File
mod - core/file_api.php Diff File

MantisBT: master d9c8e1df

2023-09-05 14:45

atrol


Details Diff
Deprecate crypto_generate_random_string() and crypto_generate_strong_random_string()

Issue 0032900
Affected Issues
0032900
mod - core/crypto_api.php Diff File

MantisBT: master 9618371a

2023-09-05 15:05

atrol


Details Diff
Remove unused constant and language strings

Issue 0032900
Affected Issues
0032900
mod - core/constant_inc.php Diff File
mod - lang/strings_arabic.txt Diff File
mod - lang/strings_belarusian_tarask.txt Diff File
mod - lang/strings_breton.txt Diff File
mod - lang/strings_bulgarian.txt Diff File
mod - lang/strings_chinese_simplified.txt Diff File
mod - lang/strings_chinese_traditional.txt Diff File
mod - lang/strings_czech.txt Diff File
mod - lang/strings_danish.txt Diff File
mod - lang/strings_dutch.txt Diff File
mod - lang/strings_english.txt Diff File
mod - lang/strings_french.txt Diff File
mod - lang/strings_galician.txt Diff File
mod - lang/strings_german.txt Diff File
mod - lang/strings_hebrew.txt Diff File
mod - lang/strings_hungarian.txt Diff File
mod - lang/strings_interlingua.txt Diff File
mod - lang/strings_italian.txt Diff File
mod - lang/strings_japanese.txt Diff File
mod - lang/strings_lithuanian.txt Diff File
mod - lang/strings_macedonian.txt Diff File
mod - lang/strings_norwegian_bokmal.txt Diff File
mod - lang/strings_polish.txt Diff File
mod - lang/strings_portuguese_brazil.txt Diff File
mod - lang/strings_portuguese_standard.txt Diff File
mod - lang/strings_russian.txt Diff File
mod - lang/strings_slovak.txt Diff File
mod - lang/strings_spanish.txt Diff File
mod - lang/strings_swedish.txt Diff File
mod - lang/strings_swissgerman.txt Diff File
mod - lang/strings_turkish.txt Diff File
mod - lang/strings_ukrainian.txt Diff File

MantisBT: master b5858e3f

2023-09-09 10:36

atrol


Details Diff
Remove references to utility_api.php

Issue 0032900
Affected Issues
0032900
mod - core/crypto_api.php Diff File