-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix mcrypt fatal - Removed on PHP 7.2 #159
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is going to need unit and / integration tests to demonstrate that the encrypt/decrypt functions work on a range of strings, on a range of PHP versions.
How can we handle the potential backwards compatibility issues?
The plugin's readme.txt currently says it requires WP 3.4 - and that version of WP supports down to PHP 5.2, so ideally all of those versions would be tested in a GitHub Action workflow for the integration tests.
…ation into vip/deprecated-mcrypto � Conflicts: � tests/test-encryption.php
08527eb
to
1f67318
Compare
Thanks, @GaryJones! Actually writing a unit test for this functionality is a great idea, and I just added the first draft with 3 tests and 13 assertions. Let me know your thoughts. My concern with backward compatibility is also on the plugin update action. When a user running PHP 7.0 updates to the new version of Push Syndication, they will have the data encrypted with the old cipher, and if they update PHP to 7.2 or later, it will be just garbage. We might add some code to the |
990143f
to
02f0aa8
Compare
Thanks for the feedback @GaryJones! I just went ahead and refactored the code with your suggestions. It's possible that I might have overengineered it a little bit, but I'm open to more suggestions. I have added a few more test cases, but I was wondering if I should simplify it with smaller tests but with more test cases. What are your thoughts on that? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like where it's heading, but I've left a few more comments.
re tests - smaller is better, but more focused is even better - instead of only testing push_syndicate_encrypt
, test the public methods of each individual class instead to test their functionality and responses - and then test push_syndicate_encrypt()
to test the logic which decides which strategy is inserted in which context.
@GaryJones thanks! I was a bit conflicted if I should make it not static, so your input was decisive into doing that change. For now, it's using a global variable to store the object instance ( Regarding the filename, I haven't change it from Thanks for the |
75085c9
to
c9f684e
Compare
@GaryJones take a look at the changes. I changed the Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we're getting there.
4bd2285
to
1f6b87c
Compare
@GaryJones is there anything else missing on this one? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor copypasta, and I'd otherwise love to see namespaces used for the new code, but these don't have to be a blocker.
The only consideration would be what happens if someone has data encrypted with mcrypt under PHP 7.1, then updates to PHP 7.2, and finds they can't decrypt using the OpenSSL?
This is still an issue. |
mcrypt
library has been deprecated since PHP 7.1, and removed on PHP 7.2. This PR aims to replace themcrypt
implementation with the alternativeopenssl
library. It also aims to keep backwards compatibility whenmcrypt
is still available on the system.There will be issues decrypting old data, however: if the original data was encrypted with
mcrypt
, it will not be compatible withopenssl
, as the Rijndael AES is not available onopenssl
and it's not compatible withaes-256-cbc
(source). If there is a way to make the old encrypted data retro compatible, I'm open to suggestions.I also replaced the usage of
serialize
withwp_json_encode
for PHPCS compliance.Testing
I did a quick test on my PHP environment (PHP 7.4.21), and the encrypt/decrypt functions are working as intended:
Testing the simple string:
Testing with a complex array:
TODO/Questions
push_syndicate_get_cipher
returns false. We should add a warning on the dashboard disclaiming that the access tokens will not be encrypted.aes-256-cbc
the best cipher for this? I believe this is the closest to the originalMCRYPT_RIJNDAEL_256
.This PR will address and close #80, #144, and #150.