Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#9507] - Two factor authentication needs php mcrypt extension, but joomla doesn't warn about that

?
avatar andrepereiradasilva
andrepereiradasilva
21 Mar 2016

Steps to reproduce the issue

With a server WITHOUT php mcrypt extension installed (or disabled).

  1. Install Joomla with latest staging
  2. Enable Google Authenticator two factor authentication plugin
  3. Create a dummy user. Then edit and configure it to use with Google Authenticator (if you don't have use a chrome plugin for that, for instance https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai)
  4. Submit the security code

Expected result

Works, since it's not a Joomla requirement to have php mcrypt extension installed.

Actual result

Fatal error.

Notice: Use of undefined constant MCRYPT_RIJNDAEL_256 - assumed 'MCRYPT_RIJNDAEL_256' in /path/to/joomla/libraries/fof/encrypt/aes.php on line 44
Notice: Use of undefined constant MCRYPT_MODE_CBC - assumed 'MCRYPT_MODE_CBC' in /path/to/joomla/libraries/fof/encrypt/aes.php on line 63
Fatal error: Call to undefined function mcrypt_get_iv_size() in /path/to/joomla/libraries/fof/encrypt/aes.php on line 90

System information (as much as possible)

Joomla 3.4.8/Joomla 3.5.0 RC4.

avatar andrepereiradasilva andrepereiradasilva - open - 21 Mar 2016
avatar mbabker
mbabker - comment - 21 Mar 2016

I'll do a patch to add a notice to the install app saying a degraded experience is available without mcrypt. For other uses of it, especially with the FOFEncryptAes class, its isSupported() method should be called first so things can degrade gracefully when the support isn't there.

avatar andrepereiradasilva
andrepereiradasilva - comment - 21 Mar 2016

is mcrypt used elsewhere? or just for twoauth?

avatar mbabker
mbabker - comment - 21 Mar 2016

The JCrypt API supports it and there's some functionality in the restore.php upgrade file that uses it (but that checks for support and gracefully exits if unavailable). The password_compat and random_compat also make use of mcrypt internally in some conditions.

avatar mbabker
mbabker - comment - 21 Mar 2016

#9508 adds the install check. Don't close this issue, still more to do.

avatar andrepereiradasilva
andrepereiradasilva - comment - 21 Mar 2016

PHP mcrypt extension is not installed by default in some linux installations.

So i agree. IMHO it should exist a warning (warnings menu item in com_installer?) about that degraded experience and, of course, no fatal errors if it php mcrypt extension doesn't exist.

avatar mbabker
mbabker - comment - 21 Mar 2016

Eh, not so much there. Apparently that screen only has warnings related to extension uploads. Add something else to the system info page I'd say as that should be the appropriate place to put full environmental checks.

avatar brianteeman brianteeman - change - 22 Mar 2016
Labels Added: ?
avatar brianteeman brianteeman - change - 22 Mar 2016
Category Installation Plugins
avatar andrepereiradasilva
andrepereiradasilva - comment - 23 Mar 2016

i think now this can be closed has we have 3 PR that all joined, solves the mcrypt issue.

#9508
#9532
#9548

avatar brianteeman
brianteeman - comment - 23 Mar 2016

Closed

avatar brianteeman brianteeman - change - 23 Mar 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-03-23 17:40:58
Closed_By brianteeman
avatar brianteeman brianteeman - close - 23 Mar 2016
avatar brianteeman brianteeman - close - 23 Mar 2016

Add a Comment

Login with GitHub to post a comment