Steps to reproduce:
1. Install the module per documentation.
2. Setup your application/consumer
3. Make sure that you have setup hash_salt in settings.php or settings local and that it is less then 32 in length
4. Try to request token for your consumer on oauth/token
You'll get issue like below in recent log messages:
Defuse\Crypto\Exception\EnvironmentIsBrokenException: Your version of PHP has bug #66797. Its implementation of mb_substr() is incorrect. See the details here: https://bugs.php.net/bug.php?id=66797 in Defuse\Crypto\Core::ourSubstr() (line 335 of /var/www/html/vendor/defuse/php-encryption/src/Core.php).
This is because Oauth2GrantManager has 32 as length passed to ourSubstr and it then function compares length of 32 to your salt which doesn't have to be 32 in length and then it fails with error which falsely represents the issue here.
Proposed solution
Since this is not something the module can fix for you, we should fail with a clear error message if the the salt is shorter than 32 characters.
Comment | File | Size | Author |
---|---|---|---|
#8 | simple_oauth-hash-salt-2935122-8.patch | 681 bytes | Berdir |
#2 | 2935122-2.patch | 588 bytes | xSDx |
Comments
Comment #2
xSDx CreditAttribution: xSDx at Websolutions Agency commentedAttaching patch
Comment #3
xSDx CreditAttribution: xSDx at Websolutions Agency commentedComment #4
xSDx CreditAttribution: xSDx at Websolutions Agency commentedComment #5
BerdirI noticed this too but the patch doesn't really help. The correct fix is IMHO to throw a clearer exception if the has is too short instead of the very confusing one about that mb_string bug, this is a developer problem that can not be fixed automatically, so we should just fail with a clear error.
Comment #6
e0ipsoI agree with this conclusion.
Comment #7
e0ipsoComment #8
BerdirHere's a fix, not sure if you want to have a test for this.
Comment #9
BerdirComment #10
e0ipsoMerged.
Thank you for the patch @Berdir. Thank you for the report @xSDx.