enforced strict base64 decoding and added warning to not use GnuPG PE…

…CL setup
syseleven · Dec 19, 2016 · 45b51ed · 45b51ed
1 parent 6de64ff
commit 45b51ed
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+# 0.10b1 (2016-12-19)
+
+* enforced strict base64 decoding
+* added info to config.php.default and to README.md that the GnuPG PECL should currently not be used (thanks to Nikolas Lotz)
+
 # 0.10b0 (2016-12-19)
 
 * fixed a security bug that allowed to retrieve a secret several times by appending query parameters to the secret (thanks to Nikolas Lotz)

diff --git a/README.md b/README.md
@@ -106,6 +106,8 @@ sudo -u www-data -H gpg --import ./public.asc
 
 ### PHP Setup
 
+**Beware:** Due to a serious bug in the GnuPG PECL package we ask to use the non-PECL setup.
+
 To use the [GnuPG PECL package](https://pecl.php.net/package/gnupg) it has to be installed and activated on the server. The following steps are based on Ubuntu 16.04 LTS and only serve as an example for the installation and activation of the GnuPG PECL package:
 ```
 # install PHP PEAR/PECL

diff --git a/actions/read.php b/actions/read.php
@@ -54,17 +54,17 @@ function read_secret($secret) {
                         $decrypted_secret = decrypt_legacy($secret, GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
                       } else {
                         if (GNUPG_PECL) {
-                          $decrypted_secret = decrypt_pecl(base64_decode($secret), GPG_KEY_FINGERPRINT, GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
+                          $decrypted_secret = decrypt_pecl(base64_decode($secret, true), GPG_KEY_FINGERPRINT, GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
                         } else {
-                          $decrypted_secret = decrypt(base64_decode($secret), GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
+                          $decrypted_secret = decrypt(base64_decode($secret, true), GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
                         }
                       }
                     } else {
                       # decrypt secret
                       if (GNUPG_PECL) {
-                        $decrypted_secret = decrypt_pecl(base64_decode($secret), GPG_KEY_FINGERPRINT, GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
+                        $decrypted_secret = decrypt_pecl(base64_decode($secret, true), GPG_KEY_FINGERPRINT, GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
                       } else {
-                        $decrypted_secret = decrypt(base64_decode($secret), GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
+                        $decrypted_secret = decrypt(base64_decode($secret, true), GPG_HOME_DIR, GPG_PASSPHRASE_FILE);
                       }  
                     }
 

diff --git a/index.php b/index.php
@@ -1,6 +1,6 @@
 <?php
 
-  # Shared-Secrets v0.10b0
+  # Shared-Secrets v0.10b1
   #
   # Copyright (c) 2016, SysEleven GmbH
   # All rights reserved.