Giters

wpengine / phpcompat

WordPress Plugin: PHP Compatibility Checker

Home Page:https://wordpress.org/plugins/php-compatibility-checker/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Pardot - false positive

craiglondon opened this issue · comments

commented

Plugin URL - https://wordpress.org/plugins/pardot/

These are false positives, the maintainer of the plugin checks for openssl_encrypt and openssl_decrypt before falling back to mcrypt.

FILE: /wp-content/plugins/pardot/includes/pardot-settings-class.php
-------------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 22 ERRORS AFFECTING 6 LINES
-------------------------------------------------------------------------------------------------------------------------------------------------------
 879 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
 879 | ERROR | Function mcrypt_get_iv_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
 879 | ERROR | The constant "MCRYPT_RIJNDAEL_256" is deprecated since PHP 7.1 and removed since PHP 7.2
 879 | ERROR | The constant "MCRYPT_MODE_ECB" is deprecated since PHP 7.1 and removed since PHP 7.2
 880 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
 880 | ERROR | Function mcrypt_create_iv() is deprecated since PHP 7.1 and removed since PHP 7.2; Use random_bytes() or OpenSSL instead
 880 | ERROR | The constant "MCRYPT_RAND" is deprecated since PHP 7.1 and removed since PHP 7.2
 883 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
 883 | ERROR | Function mcrypt_encrypt() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
 883 | ERROR | The constant "MCRYPT_RIJNDAEL_256" is deprecated since PHP 7.1 and removed since PHP 7.2
 883 | ERROR | The constant "MCRYPT_MODE_ECB" is deprecated since PHP 7.1 and removed since PHP 7.2
 915 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
 915 | ERROR | Function mcrypt_get_iv_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
 915 | ERROR | The constant "MCRYPT_RIJNDAEL_256" is deprecated since PHP 7.1 and removed since PHP 7.2
 915 | ERROR | The constant "MCRYPT_MODE_ECB" is deprecated since PHP 7.1 and removed since PHP 7.2
 916 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
 916 | ERROR | Function mcrypt_create_iv() is deprecated since PHP 7.1 and removed since PHP 7.2; Use random_bytes() or OpenSSL instead
 916 | ERROR | The constant "MCRYPT_RAND" is deprecated since PHP 7.1 and removed since PHP 7.2
 919 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
 919 | ERROR | Function mcrypt_decrypt() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
 919 | ERROR | The constant "MCRYPT_RIJNDAEL_256" is deprecated since PHP 7.1 and removed since PHP 7.2
 919 | ERROR | The constant "MCRYPT_MODE_ECB" is deprecated since PHP 7.1 and removed since PHP 7.2
-------------------------------------------------------------------------------------------------------------------------------------------------------

	/**
	 * Encrypts with a bit more complexity
	 *
	 * @since 1.1.2
	 */
	public static function pardot_encrypt( $input_string, $key = 'pardot_key', $set_flag = false ) {
		// Use simple OpenSSL encryption available in PHP 7.x+
		if ( function_exists( 'openssl_encrypt' ) ) {

			// IV length for AES-256-CBC must be 16 chars.
			$key = wp_salt( 'secure_auth' );
			$iv  = substr( wp_salt( 'auth' ), 0, 16 );

			return base64_encode( openssl_encrypt( $input_string, 'AES-256-CBC', $key, true, $iv ) );
		}

		// Otherwise fall back on mcrypt.
		if ( function_exists( 'mcrypt_encrypt' ) ) {
			$iv_size = mcrypt_get_iv_size( MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB );
			$iv      = mcrypt_create_iv( $iv_size, MCRYPT_RAND );
			$h_key   = hash( 'sha256', $key, TRUE );

			return base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, $h_key, $input_string, MCRYPT_MODE_ECB, $iv ) );
		}

		// And worst case scenario, fall back on base64_encode.
		return base64_encode( $input_string );
	}

	/**
	 * Decrypts with a bit more complexity.
	 *
	 * In situations where the string could not be decrypted boolean false will
	 * be returned. This could include scenarios where the string has already
	 * been descrypted.
	 *
	 * @since 1.1.2
	 *
	 * @return string|bool
	 */
	public static function pardot_decrypt( $encrypted_input_string, $key = 'pardot_key' ) {

		// Use simple OpenSSL encryption available in PHP 7.x+
		if ( function_exists( 'openssl_decrypt' ) ) {

			// IV length for AES-256-CBC must be 16 chars.
			$key = wp_salt( 'secure_auth' );
			$iv  = substr( wp_salt( 'auth' ), 0, 16);

			return openssl_decrypt( base64_decode( $encrypted_input_string ), 'AES-256-CBC', $key, true, $iv );
		}

		// Otherwise fall back on mcrypt.
		if ( function_exists( 'mcrypt_encrypt' ) ) {
		    $iv_size = mcrypt_get_iv_size( MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB );
		    $iv      = mcrypt_create_iv( $iv_size, MCRYPT_RAND );
		    $h_key   = hash( 'sha256', $key, TRUE );

		    return trim( mcrypt_decrypt( MCRYPT_RIJNDAEL_256, $h_key, base64_decode( $encrypted_input_string ), MCRYPT_MODE_ECB, $iv ) );
	    }

		// And worst case scenario, fall back on base64_encode.
	    return base64_decode( $encrypted_input_string );
	}