Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#34147] - [4.0.0] Deprecate mcrypt use in decrypting settings for 2fa

? Pending

User tests: Successful: Unsuccessful:

avatar PhilETaylor
PhilETaylor
23 May 2021

Summary of Changes

The mcrypt extension has been abandonware for over a decade now, and was also fairly complex to use. It has therefore been deprecated in favour of OpenSSL, where it will be removed from the core and into PECL in PHP 7.2. It was deprecated in PHP 7.1

There is one use in Joomla 4 that can still be triggered, and that is to decrypt the configuration and OTEP values from the database, if previously encrypted with mcrypt.

If this case is triggered then Joomla decrypts using mcrypt and re-encrypts using openssl using the AES Class.

THIS CODE HAS NEVER WORKED ANYWAY SINCE BEING ADDED due to a typo in the constructor arguments when setting up the $mcrypt instance. The number of params provided meant that the mcrypt' value last in the params list was never used, meaning that $mcrypt` was always an instance using the openssl adapter.

As Joomla 4.0.0 is about to be released (cough, maybe some time, but the RC will be) we need to slip these deprecated tags in else it will be another decade before we can remove this code.

@wilsonge urgent review please :) :) :)

Testing Instructions

Code review.

// cc @nikosdion @joomdonation
// replacement for #33954

avatar PhilETaylor PhilETaylor - open - 23 May 2021
avatar PhilETaylor PhilETaylor - change - 23 May 2021
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 23 May 2021
Category Administration com_users Libraries
avatar PhilETaylor PhilETaylor - change - 23 May 2021
Labels Added: ?
avatar PhilETaylor PhilETaylor - change - 23 May 2021
The description was changed
avatar PhilETaylor PhilETaylor - edited - 23 May 2021
avatar richard67 richard67 - test_item - 23 May 2021 - Tested successfully
avatar richard67
richard67 - comment - 23 May 2021

I have tested this item successfully on e9ab4ee

Code review.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34147.

avatar PhilETaylor
PhilETaylor - comment - 23 May 2021

drone failure unrelated to PR content :)

avatar wilsonge
wilsonge - comment - 23 May 2021

More than happy to merge the deprecation stuff. Honestly the constructor thing is one of those things where - do we break things more by fixing it than it was before xD #scaredMaintainer :)

avatar PhilETaylor
PhilETaylor - comment - 24 May 2021

well its clearly never worked ever... so maybe I just document that it has never ever worked and put verbose notes to say its never ever worked and a note to say to remove it in 5.0.0 rather than fix it.

What it means is that any OTP config, currently encrypted with mcrypt, will not be able to be decrypted and migrated to openssl. Its a very very fringe case anyway.

Obviously the correct course of action is to fix it properly. :-)

avatar PhilETaylor
PhilETaylor - comment - 24 May 2021

I have moved the deprecation to here: #34159 for you to merge on sight.

avatar PhilETaylor
PhilETaylor - comment - 24 May 2021

and the rest of the commenting is here: #34160

So we dont actually fix the problem anymore, just document it, ready for deletion in 5.0.0 and thus I'll close this PR and we can leave this bug alone.

avatar PhilETaylor PhilETaylor - change - 24 May 2021
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2021-05-24 09:48:25
Closed_By PhilETaylor
avatar PhilETaylor PhilETaylor - close - 24 May 2021

Add a Comment

Login with GitHub to post a comment