defuse · March 1, 2015 21:31
diff --git a/infoleak.php b/infoleak.php
 <?php
 // Broken crypto code from https://github.com/slimphp/Slim/blob/develop/Slim/Crypt.php
 function validateKeyLength($key, $module)
    {
        $keySize = strlen($key);
        $keySizeMin = 1;
        $keySizeMax = mcrypt_enc_get_key_size($module);
        $validKeySizes = mcrypt_enc_get_supported_key_sizes($module);
        if ($validKeySizes) {
            if (!in_array($keySize, $validKeySizes)) {
                throw new \InvalidArgumentException('Encryption key length must be one of: ' . implode(', ', $validKeySizes));
            }
        } else {
            if ($keySize < $keySizeMin || $keySize > $keySizeMax) {
                throw new \InvalidArgumentException(sprintf(
                    'Encryption key length must be between %s and %s, inclusive',
                    $keySizeMin,
                    $keySizeMax
                ));
            }
        }
    }

 $module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
 validateKeyLength("HEY LOOK THIS IS THE SECRET KEY!!", $module);

 /*
 PHP Fatal error:  Uncaught exception 'InvalidArgumentException' with message 'Encryption key length must be one of: 16, 24, 32' in /tmp/test.php:10
 Stack trace:
 #0 /tmp/test.php(24): validateKeyLength('HEY LOOK THIS I...', Resource id #4)
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 #1 {main}
  thrown in /tmp/test.php on line 10

 Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Encryption key length must be one of: 16, 24, 32' in /tmp/test.php:10
 Stack trace:
 #0 /tmp/test.php(24): validateKeyLength('HEY LOOK THIS I...', Resource id #4)
 #1 {main}
  thrown in /tmp/test.php on line 10
 */
	<?php
	// Broken crypto code from https://github.com/slimphp/Slim/blob/develop/Slim/Crypt.php
	function validateKeyLength($key, $module)
	{
	$keySize = strlen($key);
	$keySizeMin = 1;
	$keySizeMax = mcrypt_enc_get_key_size($module);
	$validKeySizes = mcrypt_enc_get_supported_key_sizes($module);
	if ($validKeySizes) {
	if (!in_array($keySize, $validKeySizes)) {
	throw new \InvalidArgumentException('Encryption key length must be one of: ' . implode(', ', $validKeySizes));
	}
	} else {
	if ($keySize < $keySizeMin \|\| $keySize > $keySizeMax) {
	throw new \InvalidArgumentException(sprintf(
	'Encryption key length must be between %s and %s, inclusive',
	$keySizeMin,
	$keySizeMax
	));
	}
	}
	}

	$module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_CBC, '');
	validateKeyLength("HEY LOOK THIS IS THE SECRET KEY!!", $module);

	/*
	PHP Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Encryption key length must be one of: 16, 24, 32' in /tmp/test.php:10
	Stack trace:
	#0 /tmp/test.php(24): validateKeyLength('HEY LOOK THIS I...', Resource id #4)
	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	#1 {main}
	thrown in /tmp/test.php on line 10

	Fatal error: Uncaught exception 'InvalidArgumentException' with message 'Encryption key length must be one of: 16, 24, 32' in /tmp/test.php:10
	Stack trace:
	#0 /tmp/test.php(24): validateKeyLength('HEY LOOK THIS I...', Resource id #4)
	#1 {main}
	thrown in /tmp/test.php on line 10
	*/