Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[SECURITY] 0-pad to length in random string generation

Browse source 
Otherwise shorter strings might be generated.

Bug: T115522
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: I110d873d56762552060fd428c236c8b0e9a859b0
This commit is contained in:
Brad Jorsch 2015-10-14 17:40:42 -04:00 committed by Chad Horohoe
parent e95721aae1
commit 4826c44e9b
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
includes/password/PasswordFactory.php
View file

@ -200,11 +200,10 @@ final class PasswordFactory {
// stopping at a minimum of 10 chars.
$length = max( 10, $minLength );
// Multiply by 1.25 to get the number of hex characters we need
$length = $length * 1.25;
// Generate random hex chars
$hex = MWCryptRand::generateHex( $length );
$hex = MWCryptRand::generateHex( ceil( $length * 1.25 ) );
// Convert from base 16 to base 32 to get a proper password like string
return Wikimedia\base_convert( $hex, 16, 32 );
return substr( Wikimedia\base_convert( $hex, 16, 32, $length ), -$length );
}
/**