Skip to content

Fix #19096 blowfish_secret validation: support 64-char hex format and conver…#19599

Open
AMGui63 wants to merge 1 commit intophpmyadmin:masterfrom
AMGui63:fix-blowfish-secret
Open

Fix #19096 blowfish_secret validation: support 64-char hex format and conver…#19599
AMGui63 wants to merge 1 commit intophpmyadmin:masterfrom
AMGui63:fix-blowfish-secret

Conversation

@AMGui63
Copy link

@AMGui63 AMGui63 commented Feb 12, 2025
edited
Loading

Fix blowfish_secret validation: support 64-character hex format and update documentation

Description

  • Updated HomeController.php to allow blowfish_secret as a 64-character hex string.
  • If a valid hex string is detected, it is automatically converted to binary using hex2bin().
  • Added warnings for incorrect key length.
  • Updated config.sample.inc.php to reflect the new behavior.
  • Updated documentation (docs/config.rst) to explain how users should configure blowfish_secret.
    Fixes A 64-char hex string should be allowed for the blowfish_secret config directive #19096

Before submitting pull request, please review the following checklist:

  • Make sure you have read our CONTRIBUTING.md document.
  • Make sure you are making a pull request against the correct branch. For example, for bug fixes in a released version use the corresponding QA branch and for new features use the master branch. If you have a doubt, you can ask as a comment in the bug report or on the mailing list.
  • Every commit has proper Signed-off-by line as described in our DCO. This ensures that the work you're submitting is your own creation.
  • Every commit has a descriptive commit message.
  • Every commit is needed on its own, if you have just minor fixes to previous commits, you can squash them.
  • Any new functionality is covered by tests.

Fix blowfish_secret validation: support 64-char hex format and conver…
882e762 
…t to binary

Signed-off-by: huai.wang <huai.wang@vossic.com>

Fix blowfish_secret validation: support 64-character hex format and update documentation

Signed-off-by: huai.wang <guanhuaidesu@gmail.com>
Signed-off-by: huai.wang <huai.wang@vossic.com>

word style

Signed-off-by: huai.wang <huai.wang@vossic.com>
MauricioFauth
MauricioFauth requested changes Mar 3, 2025
View reviewed changes
src/Controllers/HomeController.php
// If the key is in hexadecimal and has a length of 64 characters (i.e., 32 bytes), then convert it to binary.
if ($encryptionKeyLength === 64 && ctype_xdigit($config->settings['blowfish_secret'])) {
// Convert the hexadecimal string to binary and override the original blowfish_secret
$binaryKey = hex2bin($config->settings['blowfish_secret']);
Copy link
Member

@MauricioFauth MauricioFauth Mar 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please replace the hex2bin function with sodium_hex2bin. The hex2bin function should not be used for cryptography.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MauricioFauth MauricioFauth MauricioFauth requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

A 64-char hex string should be allowed for the blowfish_secret config directive

2 participants

@AMGui63 @MauricioFauth