From 86e4159480c3c74fd6d853fc16d33fc979bfdda9 Mon Sep 17 00:00:00 2001 From: Jeff Huijsmans Date: Mon, 10 Jul 2023 20:08:22 +0200 Subject: [PATCH 1/2] Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86aead527..38e2a6a81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +## [8.4.2] - released 2023-07-xx +### Security +- If a key string is provided to the CryptKey constructor with an invalid + passphrase, the LogicException message generated will contain the given key. + The key is no longer leaked via this exception (PR #1353) + ## [8.4.1] - released 2023-03-22 ### Fixed - Fix deprecation notices for PHP 8.x (PR #1329) From 5aba3df83650072944aaa1087aaa4e23daa1eba1 Mon Sep 17 00:00:00 2001 From: Jeff Huijsmans Date: Mon, 10 Jul 2023 20:09:09 +0200 Subject: [PATCH 2/2] Remove potential key from exception message --- src/CryptKey.php | 2 +- tests/Utils/CryptKeyTest.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/CryptKey.php b/src/CryptKey.php index 14cd8e7b4..bef2f3cdb 100644 --- a/src/CryptKey.php +++ b/src/CryptKey.php @@ -64,7 +64,7 @@ public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck = throw new LogicException('Unable to read key from file ' . $keyPath); } } else { - throw new LogicException('Unable to read key from file ' . $keyPath); + throw new LogicException('Invalid key supplied'); } if ($keyPermissionsCheck === true) { diff --git a/tests/Utils/CryptKeyTest.php b/tests/Utils/CryptKeyTest.php index b9c53b660..8edadb8b0 100644 --- a/tests/Utils/CryptKeyTest.php +++ b/tests/Utils/CryptKeyTest.php @@ -55,7 +55,7 @@ public function testKeyString() public function testUnsupportedKeyType() { $this->expectException(\LogicException::class); - $this->expectExceptionMessage('Unable to read key'); + $this->expectExceptionMessage('Invalid key supplied'); try { // Create the keypair