The ciphertext should never be less than 48 bytes, throw an exception in such case.

eff61b3e · Jaime Pérez Crespo · 150c1ef1 · eff61b3e
Commit eff61b3e authored 7 years ago by Jaime Pérez Crespo
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -24,8 +24,10 @@ class Crypto
     */
    private static function _aesDecrypt($ciphertext, $secret)
    {
-        if (!is_string($ciphertext)) {
-            throw new \InvalidArgumentException('Input parameter "$ciphertext" must be a string.');
+        if (!is_string($ciphertext) || mb_strlen($ciphertext, '8bit') < 48) {
+            throw new \InvalidArgumentException(
+                'Input parameter "$ciphertext" must be a string with more than 48 characters.'
+            );
        }
        if (!function_exists("openssl_decrypt")) {
            throw new \SimpleSAML_Error_Exception("The openssl PHP module is not loaded.");