Skip to content

Y
yii2
Commit 1cdc51c6 by Alexander Makarov
Options

Merge pull request #4458 from yiisoft/security-adjustments

Fixes #4131: Security adjustments
parents 8f81e231 c5a3cd51
Showing with 46 additions and 10 deletions
apps/advanced/common/models/User.php
...@@ -159,7 +159,7 @@ class User extends ActiveRecord implements IdentityInterface ...@@ -159,7 +159,7 @@ class User extends ActiveRecord implements IdentityInterface
*/ */
public function generateAuthKey() public function generateAuthKey()
{ {
$this->auth_key = Yii::$app->security->generateRandomKey(); $this->auth_key = Yii::$app->security->generateRandomString();
} }
/** /**
...@@ -167,7 +167,7 @@ class User extends ActiveRecord implements IdentityInterface ...@@ -167,7 +167,7 @@ class User extends ActiveRecord implements IdentityInterface
*/ */
public function generatePasswordResetToken() public function generatePasswordResetToken()
{ {
$this->password_reset_token = Yii::$app->security->generateRandomKey() . '_' . time(); $this->password_reset_token = Yii::$app->security->generateRandomString() . '_' . time();
} }
/** /**
......
apps/advanced/common/tests/templates/fixtures/user.php
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
return [ return [
'username' => 'userName', 'username' => 'userName',
'auth_key' => function ($fixture, $faker, $index) { 'auth_key' => function ($fixture, $faker, $index) {
$fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomKey(); $fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomString();
return $fixture; return $fixture;
}, },
...@@ -13,7 +13,7 @@ return [ ...@@ -13,7 +13,7 @@ return [
return $fixture; return $fixture;
}, },
'password_reset_token' => function ($fixture, $faker, $index) { 'password_reset_token' => function ($fixture, $faker, $index) {
$fixture['password_reset_token'] = Yii::$app->getSecurity()->generateRandomKey() . '_' . time(); $fixture['password_reset_token'] = Yii::$app->getSecurity()->generateRandomString() . '_' . time();
return $fixture; return $fixture;
}, },
......
docs/guide/security-authentication.md
...@@ -64,15 +64,18 @@ class User extends ActiveRecord implements IdentityInterface ...@@ -64,15 +64,18 @@ class User extends ActiveRecord implements IdentityInterface
} }
``` ```
Two of the outlined methods are simple: `findIdentity` is provided with an ID value and returns a model instance associated with that ID. The `getId` method returns the ID itself. Two of the outlined methods are simple: `findIdentity` is provided with an ID value and returns a model instance
Two of the other methods--`getAuthKey` and `validateAuthKey`--are used to provide extra security to the "remember me" cookie. The `getAuthKey` method should return a string that is unique for each user. You can create reliably create a unique string using `Yii::$app->getSecurity()->generateRandomKey()`. It's a good idea to also save this as part of the user's record: associated with that ID. The `getId` method returns the ID itself. Two of the other methods – `getAuthKey` and
`validateAuthKey` – are used to provide extra security to the "remember me" cookie. The `getAuthKey` method should
return a string that is unique for each user. You can reliably create a unique string using
`Yii::$app->getSecurity()->generateRandomString()`. It's a good idea to also save this as part of the user's record:
```php ```php
public function beforeSave($insert) public function beforeSave($insert)
{ {
if (parent::beforeSave($insert)) { if (parent::beforeSave($insert)) {
if ($this->isNewRecord) { if ($this->isNewRecord) {
$this->auth_key = Yii::$app->getSecurity()->generateRandomKey(); $this->auth_key = Yii::$app->getSecurity()->generateRandomString();
} }
return true; return true;
} }
......
docs/guide/security-passwords.md
...@@ -42,7 +42,7 @@ Yii security helper makes generating pseudorandom data simple: ...@@ -42,7 +42,7 @@ Yii security helper makes generating pseudorandom data simple:
```php ```php
$key = Yii::$app->getSecurity()->generateRandomKey(); $key = Yii::$app->getSecurity()->generateRandomString();
``` ```
Note that you need to have the `openssl` extension installed in order to generate cryptographically secure random data. Note that you need to have the `openssl` extension installed in order to generate cryptographically secure random data.
......
extensions/faker/README.md
...@@ -78,7 +78,7 @@ return [ ...@@ -78,7 +78,7 @@ return [
return $fixture; return $fixture;
}, },
'auth_key' => function ($fixture, $faker, $index) { 'auth_key' => function ($fixture, $faker, $index) {
$fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomKey(); $fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomString();
return $fixture; return $fixture;
}, },
]; ];
......
framework/CHANGELOG.md
...@@ -149,6 +149,11 @@ Yii Framework 2 Change Log ...@@ -149,6 +149,11 @@ Yii Framework 2 Change Log
- Enh #4080: Added proper handling and support of the symlinked directories in `FileHelper`, added $options parameter in `FileHelper::removeDirectory()` (resurtm) - Enh #4080: Added proper handling and support of the symlinked directories in `FileHelper`, added $options parameter in `FileHelper::removeDirectory()` (resurtm)
- Enh #4086: changedAttributes of afterSave Event now contain old values (dizews) - Enh #4086: changedAttributes of afterSave Event now contain old values (dizews)
- Enh #4114: Added `Security::generateRandomBytes()`, improved tests (samdark) - Enh #4114: Added `Security::generateRandomBytes()`, improved tests (samdark)
- Enh #4131: Security adjustments (tom--)
- Added HKDF to `yii\base\Security`.
- Reverted auto fallback to PHP PBKDF2.
- Fixed PBKDF2 key truncation.
- Adjusted API.
- Enh #4209: Added `beforeCopy`, `afterCopy`, `forceCopy` properties to AssetManager (cebe) - Enh #4209: Added `beforeCopy`, `afterCopy`, `forceCopy` properties to AssetManager (cebe)
- Enh #4297: Added check for DOM extension to requirements (samdark) - Enh #4297: Added check for DOM extension to requirements (samdark)
- Enh #4317: Added `absoluteAuthTimeout` to yii\web\User (ivokund, nkovacs) - Enh #4317: Added `absoluteAuthTimeout` to yii\web\User (ivokund, nkovacs)
......
framework/web/Request.php
...@@ -1303,7 +1303,7 @@ class Request extends \yii\base\Request ...@@ -1303,7 +1303,7 @@ class Request extends \yii\base\Request
{ {
$options = $this->csrfCookie; $options = $this->csrfCookie;
$options['name'] = $this->csrfParam; $options['name'] = $this->csrfParam;
$options['value'] = Yii::$app->getSecurity()->generateRandomKey(); $options['value'] = Yii::$app->getSecurity()->generateRandomString();
return new Cookie($options); return new Cookie($options);
} }
......
tests/unit/framework/base/ExposedSecurity.php 0 → 100644
<?php
namespace yiiunit\framework\base;
use yii\base\Security;
/**
* ExposedSecurity exposes protected methods for direct testing
*/
class ExposedSecurity extends Security
{
/**
* @inheritdoc
*/
public function hkdf($algo, $inputKey, $salt = null, $info = null, $length = 0)
{
return parent::hkdf($algo, $inputKey, $salt, $info, $length);
}
/**
* @inheritdoc
*/
public function pbkdf2($algo, $password, $salt, $iterations, $length = 0)
{
return parent::pbkdf2($algo, $password, $salt, $iterations, $length);
}
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment