php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-11-03 22:32:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

Inconsistently insecure

Browse Source 
Why use a strong random number generator in one place, but not another? I know salts have no cryptographic security requirement, but collisions are less likely if you use one.
This commit is contained in:
Scott Arciszewski
2014-02-13 13:26:54 -05:00
parent 08db928553
commit 660d3a57d6
1 changed files with 2 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
framework/helpers/BaseSecurity.php
View File

@ -336,13 +336,10 @@ class BaseSecurity
}
// Get 20 * 8bits of pseudo-random entropy from mt_rand().
$rand = '';
for ($i = 0; $i < 20; ++$i) {
$rand .= chr(mt_rand(0, 255));
}
$rand = openssl_random_pseudo_bytes(20);
// Add the microtime for a little more entropy.
$rand .= microtime();
$rand .= microtime(true);
// Mix the bits cryptographically into a 20-byte binary string.
$rand = sha1($rand, true);
// Form the prefix that specifies Blowfish algorithm and cost parameter.