News:

Support the VirtueMart project and become a member

Main Menu

Keys containing double quotes break vmcrypt

Started by ssc3, May 27, 2016, 10:13:48 AM

Previous topic - Next topic

ssc3

Joomla 3.51 and Virtuemart 3.0.16

php 5.6 and php 7

The following key file breaks vmcrypt

///////////////////////////////////////////////////////////

;<?php die(); */
                        [keys]
                        key = "‡a†Ê¨ÖÁÏ׌ª    ‰FZäÄ""
                        unixtime = "1464293091"
                        date = "2016-05-26 20:04:51"
                        b64 = "0"
                        size = "24"
                        ; */ ?>

///////////////////////////////////////////////////////////////

The key contains an extra double quote "

key = "‡a†Ê¨ÖÁÏ׌ª    ‰FZäÄ""

If you have a Windows server, keys with carriage returns also have the same effect

key = "‘Wi×hs=
‚È®Úüwò‘"R«ë"
                       
The key file itself is using line feeds as end of line markers

A temporary solution is to delete the key file and force a new key file to be generated.

Keep on doing this until a key without character returns or double quotes is created.

A more permanent solution would be to save the key with base64 encoding.
Virtuemart Payment Plugins
https://plugins.online-store.co.uk

Milbo

Thank you for report, explanation and idea how to fix it. My problem is now, how to update? We could force the system to generate a new key, when updating.

Or I remove in the keygenerator the " and any controll sign, easier for BC.

Or a check for the length and when it has doubled size => base64_decode. Hmmmm
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

ssc3

#2
vmcrypt reads the key file using parse_ini_file which gives an error,

but since the key file is always saved in the following order

key
unixtime
date
b64
size

You might be able to use regex to extract the key. It should work with keys containing double quotes,
so they would be need to generate new keys.
Virtuemart Payment Plugins
https://plugins.online-store.co.uk

Milbo

actually we can also just  generate a new key, the system works automatically with multikeys
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

ssc3

#4
As long as you do not have to retrieve data saved with the old key, then that would work.
Virtuemart Payment Plugins
https://plugins.online-store.co.uk

Milbo

Quote from: Milbo on May 27, 2016, 11:08:03 AM
Thank you for report, explanation and idea how to fix it. My problem is now, how to update? We could force the system to generate a new key, when updating.

Or I remove in the keygenerator the " and any controll sign, easier for BC.

Or a check for the length and when it has doubled size => base64_decode. Hmmmm
Quote from: Milbo on May 30, 2016, 18:34:08 PM
actually we can also just  generate a new key, the system works automatically with multikeys

So we could just add the base64_decode, when the length fits. I think that is the most simple solution
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Milbo

Even better, I just notice we note as value if it is an encoded key.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/