rspec/rules/S2278/php/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

[source,php]
----
<?php
  $ciphertext = mcrypt_encrypt(MCRYPT_DES, $key, $plaintext, $mode); // Noncompliant
  // ...
  $ciphertext = mcrypt_encrypt(MCRYPT_DES_COMPAT, $key, $plaintext, $mode); // Noncompliant
  // ...
  $ciphertext = mcrypt_encrypt(MCRYPT_TRIPLEDES, $key, $plaintext, $mode); // Noncompliant
  // ...
  $ciphertext = mcrypt_encrypt(MCRYPT_3DES, $key, $plaintext, $mode); // Noncompliant

  $cipher = "des-ede3-cfb";  // Noncompliant
  $ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);
?>
----

=== Compliant solution

[source,php]
----
<?php
  $ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plaintext, MCRYPT_MODE_CBC, $iv);
?>
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 15 Jun 2018, 15:10:28 Alexandre Gigleux wrote:
Mcrypt ciphers: \http://us3.php.net/manual/en/mcrypt.ciphers.php

=== on 16 Jul 2018, 13:55:32 Pierre-Yves Nicolas wrote:
It seems that http://php.net/manual/en/intro.mcrypt.php[Mcrypt is deprecated] in PHP 7.1 and removed in PHP 7.2.

=== on 16 Jul 2018, 14:20:39 Alexandre Gigleux wrote:
The fact Mcrypt is deprecated in PHP 7.1 and removed in PHP 7.2 doesn't prevent us to catch this pattern to help developers still relying on it to know that their code is not secure.

=== on 19 Jul 2018, 17:05:52 Tibor Blenessy wrote:
I also added DES when used with openssl_encrypt(...), as described here \https://stackoverflow.com/questions/39467008/use-openssl-encrypt-to-replace-mcrypt-for-3des-ecb-encryption


\[~alexandre.gigleux] I agree that we should detect also deprecated function calls, however I would refrain for using them in compliant code example (to avoid anybody blaming us that we recommended deprecated crypto). Either we can use ``++openssl_encrypt++`` \http://php.net/manual/en/function.openssl-encrypt.php  , or drop compliant example completely

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`<?php`
			`$ciphertext = mcrypt_encrypt(MCRYPT_DES, $key, $plaintext, $mode); // Noncompliant`
			`// ...`
			`$ciphertext = mcrypt_encrypt(MCRYPT_DES_COMPAT, $key, $plaintext, $mode); // Noncompliant`
			`// ...`
			`$ciphertext = mcrypt_encrypt(MCRYPT_TRIPLEDES, $key, $plaintext, $mode); // Noncompliant`
			`// ...`
			`$ciphertext = mcrypt_encrypt(MCRYPT_3DES, $key, $plaintext, $mode); // Noncompliant`

			`$cipher = "des-ede3-cfb"; // Noncompliant`
			`$ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv);`
			`?>`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`----`
			`<?php`
			`$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plaintext, MCRYPT_MODE_CBC, $iv);`
			`?>`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 15 Jun 2018, 15:10:28 Alexandre Gigleux wrote:`
			`Mcrypt ciphers: \http://us3.php.net/manual/en/mcrypt.ciphers.php`

			`=== on 16 Jul 2018, 13:55:32 Pierre-Yves Nicolas wrote:`
			`It seems that http://php.net/manual/en/intro.mcrypt.php[Mcrypt is deprecated] in PHP 7.1 and removed in PHP 7.2.`

			`=== on 16 Jul 2018, 14:20:39 Alexandre Gigleux wrote:`
			`The fact Mcrypt is deprecated in PHP 7.1 and removed in PHP 7.2 doesn't prevent us to catch this pattern to help developers still relying on it to know that their code is not secure.`

			`=== on 19 Jul 2018, 17:05:52 Tibor Blenessy wrote:`
			`I also added DES when used with openssl_encrypt(...), as described here \https://stackoverflow.com/questions/39467008/use-openssl-encrypt-to-replace-mcrypt-for-3des-ecb-encryption`


			\[~alexandre.gigleux] I agree that we should detect also deprecated function calls, however I would refrain for using them in compliant code example (to avoid anybody blaming us that we recommended deprecated crypto). Either we can use ``++openssl_encrypt++`` \http://php.net/manual/en/function.openssl-encrypt.php , or drop compliant example completely

			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`