Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#23151] - PHP 7.2 Use of undefined constant MCRYPT_RIJNDAEL_128

?
avatar PhilETaylor
PhilETaylor
23 Nov 2018

Steps to reproduce the issue

Use the Joomla encrypt classes from fof
PHP 7.2 compatibility

Actual result

[Fri Nov 23 11:59:07 2018] PHP Warning:  Use of undefined constant MCRYPT_RIJNDAEL_128 - assumed 'MCRYPT_RIJNDAEL_128' (this will throw an Error in a future version of PHP) in /Users/phil/example.com/libraries/fof/encrypt/aes.php on line 170
[Fri Nov 23 11:59:07 2018] PHP Warning:  Use of undefined constant MCRYPT_MODE_CBC - assumed 'MCRYPT_MODE_CBC' (this will throw an Error in a future version of PHP) in /Users/phil/example.com/libraries/fof/encrypt/aes.php on line 170

joomla-cms/libraries/fof/encrypt/aes.php

Line 170 in ddfa622

$adapter = new FOFEncryptAesMcrypt();

Expected result

No errors

System information (as much as possible)

PHP 7.2 command line

Additional comments

@nikosdion states:

The latter two notices come from FOF 2 which is part of Joomla!. I terminated support for FOF 2 in mid-2016. FWIW the latest FOF 2 version I supplied to Joomla! does not have this problem. We are detecting mcrypt or OpenSSL presence and we prefer to use the latter.

avatar PhilETaylor PhilETaylor - open - 23 Nov 2018
avatar joomla-cms-bot joomla-cms-bot - change - 23 Nov 2018
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 23 Nov 2018
avatar PhilETaylor PhilETaylor - change - 23 Nov 2018
The description was changed
avatar PhilETaylor PhilETaylor - edited - 23 Nov 2018
avatar PhilETaylor
PhilETaylor - comment - 23 Nov 2018

MCRYPT_RIJNDAEL_128 is also used in restore.php

joomla-cms/administrator/components/com_joomlaupdate/restore.php

Line 6916 in ddfa622

protected $cipherType = MCRYPT_RIJNDAEL_128;

and MCRYPT_MODE_CBC

joomla-cms/administrator/components/com_joomlaupdate/restore.php

Line 6918 in ddfa622

protected $cipherMode = MCRYPT_MODE_CBC;

avatar mbabker
mbabker - comment - 23 Nov 2018

If you're doing blind searches for anything mcrypt related you're going to find a lot of references. The fact they exist is not a problem. If they are actually being used on PHP 7.2, it is a problem. If you look at the restore.php code you will find that class is conditionally instantiated therefore those lines you highlighted are only executed if that condition is true.

avatar mbabker
mbabker - comment - 23 Nov 2018

Also take into consideration that the extension is installable via PECL. Therefore, a straight up "mcrypt should not be executed on PHP 7.2" policy cannot apply to any code, you must continue to use extension_loaded() checks.

avatar zero-24
zero-24 - comment - 23 Nov 2018

Use the Joomla encrypt classes from fof

Simple solution don't use $adapter = new FOFEncryptAesMcrypt(); but $adapter = new FOFEncryptAesOpenssl(); :P

But this here:

joomla-cms/libraries/fof/encrypt/aes.php

Lines 34 to 69 in ddfa622

/**
* Initialise the AES encryption object.
*
* Note: If the key is not 16 bytes this class will do a stupid key expansion for legacy reasons (produce the
* SHA-256 of the key string and throw away half of it).
*
* @param string $key The encryption key (password). It can be a raw key (16 bytes) or a passphrase.
* @param int $strength Bit strength (128, 192 or 256) – ALWAYS USE 128 BITS. THIS PARAMETER IS DEPRECATED.
* @param string $mode Encryption mode. Can be ebc or cbc. We recommend using cbc.
* @param FOFUtilsPhpfunc $phpfunc For testing
* @param string $priority Priority which adapter we should try first
*/
public function __construct($key, $strength = 128, $mode = 'cbc', FOFUtilsPhpfunc $phpfunc = null, $priority = 'openssl')
{
if ($priority == 'openssl')
{
$this->adapter = new FOFEncryptAesOpenssl();
if (!$this->adapter->isSupported($phpfunc))
{
$this->adapter = new FOFEncryptAesMcrypt();
}
}
else
{
$this->adapter = new FOFEncryptAesMcrypt();
if (!$this->adapter->isSupported($phpfunc))
{
$this->adapter = new FOFEncryptAesOpenssl();
}
}
$this->adapter->setEncryptionMode($mode, $strength);
$this->setPassword($key, true);
}
should make sure there is no problem at all unless you decide to override the adapter priority?

So how can you reproduce the problem, without directly using $adapter = new FOFEncryptAesMcrypt();?

avatar PhilETaylor
PhilETaylor - comment - 23 Nov 2018

So how can you reproduce the problem

This problem came to light when moving a Joomla site to localhost which is PHP 7.2, and on restoring the site using Akeeba ANGIE wizard 6.3.0.

avatar zero-24
zero-24 - comment - 23 Nov 2018

This problem came to light when moving a Joomla site to localhost which is PHP 7.2, and on restoring the site using Akeeba ANGIE wizard 6.3.0.

Can you reproduce the problem on a clean install without 3rd Party Software on the same localhost running PHP 7.2?

avatar PhilETaylor PhilETaylor - change - 23 Nov 2018
Status New Closed
Closed_Date 0000-00-00 00:00:00 2018-11-23 15:26:15
Closed_By PhilETaylor
avatar PhilETaylor
PhilETaylor - comment - 23 Nov 2018

Can you reproduce the problem on a clean install without 3rd Party Software on the same localhost running PHP 7.2?

Nope. Case closed.

avatar PhilETaylor PhilETaylor - close - 23 Nov 2018

Add a Comment

Login with GitHub to post a comment