Merge pull request #24925 from ATM-Consulting/FIX_openssl_iv_truncation_shouldnt_rely_on_dol_trunc

FIX: use dol_substr instead of dol_trunc for truncating openssl initialization vector
2026-01-06 17:13:03 +01:00 · 2023-06-04 15:21:45 +02:00
parent 950d9cb158 cb9eac9047
commit e6ea14d2f2
1 changed files with 1 additions and 1 deletions
--- a/htdocs/core/lib/security.lib.php
+++ b/htdocs/core/lib/security.lib.php
@@ -152,7 +152,7 @@ function dolEncrypt($chain, $key = '', $ciphering = 'AES-256-CTR', $forceseed =
 		if (empty($forceseed)) {
 			$ivseed = dolGetRandomBytes($ivlen);
 		} else {
-			$ivseed = dol_trunc(md5($forceseed), $ivlen, 'right', 'UTF-8', 1);
+			$ivseed = dol_substr(md5($forceseed), 0, $ivlen, 'ascii', 1);
 		}

 		$newchain = openssl_encrypt($chain, $ciphering, $key, 0, $ivseed);