From 79541e1c2f19388f8e3c1ae65f0dad0673e750ee Mon Sep 17 00:00:00 2001 From: Max Semenik Date: Mon, 7 Oct 2019 16:15:15 -0700 Subject: [PATCH] Session: Remove mcrypt support, dropped from PHP 7.2 Change-Id: I46d04f4b31730ee1b368f2c2646638fa59234f66 (cherry picked from commit 2816b4f7daa872725887df41dde4641b41d5e234) --- includes/DefaultSettings.php | 2 +- includes/session/Session.php | 42 ++---------------------------------- 2 files changed, 3 insertions(+), 41 deletions(-) diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 84490731b2..d8aff2da1c 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -8684,7 +8684,7 @@ $wgHttpsPort = 443; $wgSessionSecret = false; /** - * If for some reason you can't install the PHP OpenSSL or mcrypt extensions, + * If for some reason you can't install the PHP OpenSSL extension, * you can set this to true to make MediaWiki work again at the cost of storing * sensitive session data insecurely. But it would be much more secure to just * install the OpenSSL extension. diff --git a/includes/session/Session.php b/includes/session/Session.php index 681d6cf33e..9bd329cab0 100644 --- a/includes/session/Session.php +++ b/includes/session/Session.php @@ -433,20 +433,6 @@ final class Session implements \Countable, \Iterator, \ArrayAccess { } } - if ( function_exists( 'mcrypt_encrypt' ) - && in_array( 'rijndael-128', mcrypt_list_algorithms(), true ) - ) { - $modes = mcrypt_list_modes(); - if ( in_array( 'ctr', $modes, true ) ) { - self::$encryptionAlgorithm = [ 'mcrypt', 'rijndael-128', 'ctr' ]; - return self::$encryptionAlgorithm; - } - if ( in_array( 'cbc', $modes, true ) ) { - self::$encryptionAlgorithm = [ 'mcrypt', 'rijndael-128', 'cbc' ]; - return self::$encryptionAlgorithm; - } - } - if ( $wgSessionInsecureSecrets ) { // @todo: import a pure-PHP library for AES instead of this self::$encryptionAlgorithm = [ 'insecure' ]; @@ -454,8 +440,8 @@ final class Session implements \Countable, \Iterator, \ArrayAccess { } throw new \BadMethodCallException( - 'Encryption is not available. You really should install the PHP OpenSSL extension, ' . - 'or failing that the mcrypt extension. But if you really can\'t and you\'re willing ' . + 'Encryption is not available. You really should install the PHP OpenSSL extension. ' . + 'But if you really can\'t and you\'re willing ' . 'to accept insecure storage of sensitive session data, set ' . '$wgSessionInsecureSecrets = true in LocalSettings.php to make this exception go away.' ); @@ -490,17 +476,6 @@ final class Session implements \Countable, \Iterator, \ArrayAccess { throw new \UnexpectedValueException( 'Encryption failed: ' . openssl_error_string() ); } break; - case 'mcrypt': - // PKCS7 padding - $blocksize = mcrypt_get_block_size( $algorithm[1], $algorithm[2] ); - $pad = $blocksize - ( strlen( $serialized ) % $blocksize ); - $serialized .= str_repeat( chr( $pad ), $pad ); - - $ciphertext = mcrypt_encrypt( $algorithm[1], $encKey, $serialized, $algorithm[2], $iv ); - if ( $ciphertext === false ) { - throw new \UnexpectedValueException( 'Encryption failed' ); - } - break; case 'insecure': $ex = new \Exception( 'No encryption is available, storing data as plain text' ); $this->logger->warning( $ex->getMessage(), [ 'exception' => $ex ] ); @@ -564,19 +539,6 @@ final class Session implements \Countable, \Iterator, \ArrayAccess { return $default; } break; - case 'mcrypt': - $serialized = mcrypt_decrypt( $algorithm[1], $encKey, base64_decode( $ciphertext ), - $algorithm[2], base64_decode( $iv ) ); - if ( $serialized === false ) { - $ex = new \Exception( 'Decyption failed' ); - $this->logger->debug( $ex->getMessage(), [ 'exception' => $ex ] ); - return $default; - } - - // Remove PKCS7 padding - $pad = ord( substr( $serialized, -1 ) ); - $serialized = substr( $serialized, 0, -$pad ); - break; case 'insecure': $ex = new \Exception( 'No encryption is available, retrieving data that was stored as plain text' -- 2.20.1