Pardot - false positive #212
Description
Plugin URL - https://wordpress.org/plugins/pardot/
These are false positives, the maintainer of the plugin checks for openssl_encrypt and openssl_decrypt before falling back to mcrypt.
FILE: /wp-content/plugins/pardot/includes/pardot-settings-class.php
-------------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 22 ERRORS AFFECTING 6 LINES
-------------------------------------------------------------------------------------------------------------------------------------------------------
879 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
879 | ERROR | Function mcrypt_get_iv_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
879 | ERROR | The constant "MCRYPT_RIJNDAEL_256" is deprecated since PHP 7.1 and removed since PHP 7.2
879 | ERROR | The constant "MCRYPT_MODE_ECB" is deprecated since PHP 7.1 and removed since PHP 7.2
880 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
880 | ERROR | Function mcrypt_create_iv() is deprecated since PHP 7.1 and removed since PHP 7.2; Use random_bytes() or OpenSSL instead
880 | ERROR | The constant "MCRYPT_RAND" is deprecated since PHP 7.1 and removed since PHP 7.2
883 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
883 | ERROR | Function mcrypt_encrypt() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
883 | ERROR | The constant "MCRYPT_RIJNDAEL_256" is deprecated since PHP 7.1 and removed since PHP 7.2
883 | ERROR | The constant "MCRYPT_MODE_ECB" is deprecated since PHP 7.1 and removed since PHP 7.2
915 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
915 | ERROR | Function mcrypt_get_iv_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
915 | ERROR | The constant "MCRYPT_RIJNDAEL_256" is deprecated since PHP 7.1 and removed since PHP 7.2
915 | ERROR | The constant "MCRYPT_MODE_ECB" is deprecated since PHP 7.1 and removed since PHP 7.2
916 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
916 | ERROR | Function mcrypt_create_iv() is deprecated since PHP 7.1 and removed since PHP 7.2; Use random_bytes() or OpenSSL instead
916 | ERROR | The constant "MCRYPT_RAND" is deprecated since PHP 7.1 and removed since PHP 7.2
919 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
919 | ERROR | Function mcrypt_decrypt() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
919 | ERROR | The constant "MCRYPT_RIJNDAEL_256" is deprecated since PHP 7.1 and removed since PHP 7.2
919 | ERROR | The constant "MCRYPT_MODE_ECB" is deprecated since PHP 7.1 and removed since PHP 7.2
-------------------------------------------------------------------------------------------------------------------------------------------------------
/**
* Encrypts with a bit more complexity
*
* @since 1.1.2
*/
public static function pardot_encrypt( $input_string, $key = 'pardot_key', $set_flag = false ) {
// Use simple OpenSSL encryption available in PHP 7.x+
if ( function_exists( 'openssl_encrypt' ) ) {
// IV length for AES-256-CBC must be 16 chars.
$key = wp_salt( 'secure_auth' );
$iv = substr( wp_salt( 'auth' ), 0, 16 );
return base64_encode( openssl_encrypt( $input_string, 'AES-256-CBC', $key, true, $iv ) );
}
// Otherwise fall back on mcrypt.
if ( function_exists( 'mcrypt_encrypt' ) ) {
$iv_size = mcrypt_get_iv_size( MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB );
$iv = mcrypt_create_iv( $iv_size, MCRYPT_RAND );
$h_key = hash( 'sha256', $key, TRUE );
return base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, $h_key, $input_string, MCRYPT_MODE_ECB, $iv ) );
}
// And worst case scenario, fall back on base64_encode.
return base64_encode( $input_string );
}
/**
* Decrypts with a bit more complexity.
*
* In situations where the string could not be decrypted boolean false will
* be returned. This could include scenarios where the string has already
* been descrypted.
*
* @since 1.1.2
*
* @return string|bool
*/
public static function pardot_decrypt( $encrypted_input_string, $key = 'pardot_key' ) {
// Use simple OpenSSL encryption available in PHP 7.x+
if ( function_exists( 'openssl_decrypt' ) ) {
// IV length for AES-256-CBC must be 16 chars.
$key = wp_salt( 'secure_auth' );
$iv = substr( wp_salt( 'auth' ), 0, 16);
return openssl_decrypt( base64_decode( $encrypted_input_string ), 'AES-256-CBC', $key, true, $iv );
}
// Otherwise fall back on mcrypt.
if ( function_exists( 'mcrypt_encrypt' ) ) {
$iv_size = mcrypt_get_iv_size( MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB );
$iv = mcrypt_create_iv( $iv_size, MCRYPT_RAND );
$h_key = hash( 'sha256', $key, TRUE );
return trim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, $h_key, base64_decode( $encrypted_input_string ), MCRYPT_MODE_ECB, $iv ) );
}
// And worst case scenario, fall back on base64_encode.
return base64_decode( $encrypted_input_string );
}