Hello,
I'm just a regular EDocman user (not a PHP or security expert), and recently I ran the AdminTools PHP File Scanner on my site.
It flagged the phpseclib library inside the Google Drive v3 plugin (plugins/edocman/googledrivev3/GoogleV3/packages/phpseclib/phpseclib/Crypt/RSA.php) as potentially outdated / using legacy code.
Out of curiosity, I asked an AI tool (Grok) to take a look at that part of the code. The AI explained to me that:
- The code is using phpseclib 1.x (a very old version from many years ago)
- It implements the old PKCS#1 v1.5 signature method (EMSA-PKCS1-v1_5)
- According to current security recommendations, this method is now considered legacy and is no longer recommended for new or long-term use
- Modern best practice is to use RSA-PSS instead, and newer versions of phpseclib (3.x) already do this by default
The AI also mentioned that while it doesn't mean the site is immediately hacked, it would be safer to update this part in the future — especially because Google might one day stop accepting the old signature format, or because newer phpseclib versions have many security improvements and fixes.
I completely understand that updating such things takes time and must keep backward compatibility in mind.
I'm not asking for an immediate fix or starting any technical discussion — I just wanted to kindly pass on what I learned from the scanner + AI analysis, in case it is helpful for future planning.
Thank you very much for creating and maintaining EDocman — it's a really useful extension for our site.
Thanks
