Merge pull request #26693 from nextcloud/backport/25714/stable20

[stable20] Explicitly check hex2bin input
This commit is contained in:
Morris Jobke 2021-04-22 20:54:46 +02:00 committed by GitHub
commit 35189a914b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 3 deletions

View File

@ -122,14 +122,14 @@ class Crypto implements ICrypto {
throw new \Exception('Authenticated ciphertext could not be decoded.'); throw new \Exception('Authenticated ciphertext could not be decoded.');
} }
$ciphertext = hex2bin($parts[0]); $ciphertext = $this->hex2bin($parts[0]);
$iv = $parts[1]; $iv = $parts[1];
$hmac = hex2bin($parts[2]); $hmac = $this->hex2bin($parts[2]);
if ($partCount === 4) { if ($partCount === 4) {
$version = $parts[3]; $version = $parts[3];
if ($version === '2') { if ($version === '2') {
$iv = hex2bin($iv); $iv = $this->hex2bin($iv);
} }
} }
@ -146,4 +146,20 @@ class Crypto implements ICrypto {
return $result; return $result;
} }
private function hex2bin(string $hex): string {
if (!ctype_xdigit($hex)) {
throw new \RuntimeException('String contains non hex chars: ' . $hex);
}
if (strlen($hex) % 2 !== 0) {
throw new \RuntimeException('Hex string is not of even length: ' . $hex);
}
$result = hex2bin($hex);
if ($result === false) {
throw new \RuntimeException('Hex to bin conversion failed: ' . $hex);
}
return $result;
}
} }