Merge pull request #1359 from jeffhuys/fix-snyk-vulnerability

Remove Key Leak 8.4.x
thephpleague · Aug 2, 2023 · cb9ae79 · cb9ae79
2 parents eed31d8 + 5aba3df
commit cb9ae79
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [8.4.2] - released 2023-07-xx
+### Security
+- If a key string is provided to the CryptKey constructor with an invalid
+  passphrase, the LogicException message generated will contain the given key.
+  The key is no longer leaked via this exception (PR #1353)
+
 ## [8.4.1] - released 2023-03-22
 ### Fixed
 - Fix deprecation notices for PHP 8.x (PR #1329)

diff --git a/src/CryptKey.php b/src/CryptKey.php
@@ -64,7 +64,7 @@ public function __construct($keyPath, $passPhrase = null, $keyPermissionsCheck =
                 throw new LogicException('Unable to read key from file ' . $keyPath);
             }
         } else {
-            throw new LogicException('Unable to read key from file ' . $keyPath);
+            throw new LogicException('Invalid key supplied');
         }
 
         if ($keyPermissionsCheck === true) {

diff --git a/tests/Utils/CryptKeyTest.php b/tests/Utils/CryptKeyTest.php
@@ -55,7 +55,7 @@ public function testKeyString()
     public function testUnsupportedKeyType()
     {
         $this->expectException(\LogicException::class);
-        $this->expectExceptionMessage('Unable to read key');
+        $this->expectExceptionMessage('Invalid key supplied');
 
         try {
             // Create the keypair