Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The new plugin mcrypt_aes_cbc does not use substr for keys longer than 32 characters, like the (now deprecated) mcrypt_rij_256 plugin did.
I've added a small check and substr to fix this.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 2631018-2.patch | 614 bytes | spadxiii |
Comments
Comment #2
spadxiii commentedComment #3
heine commentedWhy would you want to do this silently? Incorrect key sizes should imo fail hard.
Comment #4
rlhawkMy main concern with this is that it can easily hide a mistake by the user. For example, if you create a random 256-bit key and base64-encode it, it will be 44 characters long. If you forget to check the box to indicate to Encrypt that it's base64-encoded, with this patch the key will be truncated to 32 characters, substantially reducing the quality of the key without giving any indication, since encryption and decryption will work fine.
@SpadXIII, please explain the use case for allowing longer keys.
Comment #5
mrharolda commentedMy guess is that this is for backwards compatibility ...
@SpadXIII, if you are using $conf['encrypt_drupal_variable_key'] in your settings.php to set a key, you could perform the substr() there; if needed.
Comment #6
rlhawkClosing this as won't fix. Reopen it to continue the discussion.