Page MenuHomePhorge
Create Task
Maniphest T63

Possible plain text content leak in getTxnId()
Closed, ResolvedPublic
Actions

Description

getTxnId() uses the event content to calculate a *non-cryptographic* hash and uses it in the transaction id that is to be *sent to the server*.

In some cases, the event content might not be encrypted (i.e. it is called with a non-encrypted event). A malicious server may find some patterns in the transaction id, and thus it may exploit this problems to try to attack the cipher.

We should make it that the event content is not used in the calculation of the transaction id.

Also, we should release ASAP.

Related Objects

Event Timeline

tusooa created this task.May 11 2024, 4:35 PM
tusooa raised the priority of this task from Needs Triage to Unbreak Now!.
tusooa created this object with visibility "the Kazv Project (Project)".
tusooa created this object with edit policy "the Kazv Project (Project)".
tusooa mentioned this in D28: Do not calculate transaction id from event content.May 11 2024, 5:00 PM
tusooa moved this task from Bug to Review on the the Kazv Project board.May 11 2024, 5:07 PM
tusooa mentioned this in rLb010662c84fc: Do not calculate transaction id from event content.May 11 2024, 7:00 PM
tusooa closed this task as Resolved.May 11 2024, 8:11 PM
tusooa changed the visibility from "the Kazv Project (Project)" to "Public (No Login Required)".