Skip to content

Y
yii2
Commit 660d3a57 by Scott Arciszewski
Options

Inconsistently insecure

Why use a strong random number generator in one place, but not another? I know salts have no cryptographic security requirement, but collisions are less likely if you use one.
parent 08db9285
Showing with 2 additions and 5 deletions
framework/helpers/BaseSecurity.php
...@@ -336,13 +336,10 @@ class BaseSecurity ...@@ -336,13 +336,10 @@ class BaseSecurity
} }
// Get 20 * 8bits of pseudo-random entropy from mt_rand(). // Get 20 * 8bits of pseudo-random entropy from mt_rand().
$rand = ''; $rand = openssl_random_pseudo_bytes(20);
for ($i = 0; $i < 20; ++$i) {
$rand .= chr(mt_rand(0, 255));
}
// Add the microtime for a little more entropy. // Add the microtime for a little more entropy.
$rand .= microtime(); $rand .= microtime(true);
// Mix the bits cryptographically into a 20-byte binary string. // Mix the bits cryptographically into a 20-byte binary string.
$rand = sha1($rand, true); $rand = sha1($rand, true);
// Form the prefix that specifies Blowfish algorithm and cost parameter. // Form the prefix that specifies Blowfish algorithm and cost parameter.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment