- JSON -> Content-Security-Policy header compiler for Apache and nginx configurations
diff --git a/tmp/phr_471Znr/vendor/autoload.php b/tmp/phr_6bTGzo/vendor/autoload.php | |
index 46c0c70..65ab5cb 100644 | |
--- a/tmp/phr_471Znr/vendor/autoload.php | |
+++ b/tmp/phr_6bTGzo/vendor/autoload.php | |
@@ -4,4 +4,4 @@ | |
require_once __DIR__ . '/composer' . '/autoload_real.php'; | |
-return ComposerAutoloaderInit0d991f5b8a84042e16cf24b4b1b48953::getLoader(); | |
+return ComposerAutoloaderInit6ccd5a50ed5df4dc5993d5b375e26928::getLoader(); |
<?php | |
namespace Cryptography; | |
class Asymmetric | |
{ | |
// Let's not let users hang themselves; if we need more padding options let's add them later | |
const PAD_DEFAULT = 0; | |
const DRIVER_OPENSSL = 'openssl'; | |
const DRIVER_SODIUM = 'libsodium'; |
<?php | |
/** | |
* Since integers in 32-bit PHP 5.x are signed, exclusively, this only goes up to 2147483647 | |
*/ | |
function add_32bit($intA, $intB) | |
{ | |
if (!is_int($intA) || !is_int($intB)) { | |
return false; | |
} |
This is just a collection of thoughts and feelings about the technology industry and guidelines I feel should be upheld.
If a minimum wage employee cannot reasonably afford to attend an event (e.g. saving $300 for DEFCON is probably the upper limit), original research should NOT be presented at that event.
Presenting cutting-edge ideas to the wealthy only serves to insulate the fat cats from the disruptions of the poor. There are plenty of other researchers that hunger for career progression that will serve the whims and aims of the upper class that can afford to drop several thousand dollars on a technology conference.
Hello software developers,
Please check your code to ensure you're not making one of the following mistakes related to cryptography.
- Writing your own home-grown cryptography primitives (For example: Mifare Classic)
- Exception: For the sake of learning, but don't deploy it in production.
- Using a fast hash function (e.g. MD5, SHA256) for storing passwords. Use bcrypt instead.
- Not using a cryptographically secure random number generator
TL;DR - Don't use this code ever.
- Hard-coded key.
- Hard-coded, static initialization vector for CBC mode.
- Does not provide authenticated encryption
- Passes decrypted value to
unserialize()
Pour all of the ingredients above into a pot, add a little bit of Python, and you've got a remotely exploitable code injection vulnerability in any project that depends on this "confidential string" library.
This is my formal response to variations of the question, Why do you always link to paragonie.com in your technical discussions? which some people have asked (or implied while accusing me of being up to no good).
The short answer is because I always try link to the most relevant answer I can provide to a specific technical question, and the most relevant way to introduce a point I'm about to make is usually a blog post that I've already written.
But more importantly, I stand by everything written on that website. If a blog post doesn't line up with my current understanding of security engineering, cryptography, and the art/science of web development in PHP, I'll go back and change the post to keep it in line with new information.
Many of the blog points explain, in significant detail, a technical matter that I don't feel like reiterating every time someone is about to make the same mistake that the community has already learned from.
Typically, when someone makes this accusati
Okay, let's say you have:
- A password that consists of a single unknown character repeated an unknown number of times.
- A strong password hashing algorithm that doesn't impose an upper limit on length.
How hard is your incredibly unwise passphrase for a cracker to guess?
First, you have to know which character it is. If we go with printable ASCII characters, that gives us 94 possibilities.
However, if we stretch the alphabet out to include all UTF-8 codepoints, you get 1,112,064 possible values.