From eff61b3e4a9cba7b714ebbe592ef4a07aff3f7b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no> Date: Wed, 26 Apr 2017 16:31:11 +0200 Subject: [PATCH] The ciphertext should never be less than 48 bytes, throw an exception in such case. --- lib/SimpleSAML/Utils/Crypto.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php index 0bbc430cd..e9e229565 100644 --- a/lib/SimpleSAML/Utils/Crypto.php +++ b/lib/SimpleSAML/Utils/Crypto.php @@ -24,8 +24,10 @@ class Crypto */ private static function _aesDecrypt($ciphertext, $secret) { - if (!is_string($ciphertext)) { - throw new \InvalidArgumentException('Input parameter "$ciphertext" must be a string.'); + if (!is_string($ciphertext) || mb_strlen($ciphertext, '8bit') < 48) { + throw new \InvalidArgumentException( + 'Input parameter "$ciphertext" must be a string with more than 48 characters.' + ); } if (!function_exists("openssl_decrypt")) { throw new \SimpleSAML_Error_Exception("The openssl PHP module is not loaded."); -- GitLab