[Tickets #14231] Re: Log in into Horde Groupware from another website

noreply at bugs.horde.org noreply at bugs.horde.org
Fri Feb 12 11:46:01 UTC 2016 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: https://bugs.horde.org/ticket/14231
------------------------------------------------------------------------------
  Ticket             | 14231
  Updated By         | lukas_barros at hotmail.com
  Summary            | Log in into Horde Groupware from another website
  Queue              | Horde Framework Packages
  Type               | Bug
  State              | Resolved
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             | Jan Schneider
------------------------------------------------------------------------------


lukas_barros at hotmail.com (2016-02-12 11:46) wrote:

> Changes have been made in Git (master):
>
> commit d9defefe7c671d3b3f72e4a8e6627e168f0d5da1
> Author: Jan Schneider <jan at horde.org>
> Date:   Fri Feb 12 11:40:39 2016 +0100
>
>     Don't use local cipher caches if the key changed (Bug #14231).
>
>  framework/Core/lib/Horde/Core/Secret/Cbc.php |    3 ++-
>  framework/Core/package.xml                   |    4 ++--
>  framework/Secret/lib/Horde/Secret.php        |    3 ++-
>  framework/Secret/package.xml                 |    4 ++--
>  4 files changed, 8 insertions(+), 6 deletions(-)
>
> http://github.com/horde/horde/commit/d9defefe7c671d3b3f72e4a8e6627e168f0d5da1


Hello Jan,

Please correct me if I am wrong. When I was developing the solution I  
saw that this modification was not needed for  
/Secret/lib/Horde/Secret.php because of how the index "idx" is  
calculated:

$idx = hash('md5', $key);

  The index depends on $key, so if $key has a different value than  
before, $idx will have a different value, leading to  
$this->_cipherCache[$idx] being empty, causing another  
Horde_Crypt_Blowfish object being created with the new $key.

In Cbc.php the index of _cipherCache[self::HORDE_KEYNAME] is a  
constant, so a change in $key would not lead to the creating of a new  
Horde_Crypt_Blowfish object with the new value.

This is why this bug did not happen before the addition of the Cbc encryption.

Best regards,

Lucas Barros Araújo

More information about the bugs mailing list