Improved Security / Bugs / #1 No randomness in Security

#1 No randomness in Security_Randomizer::getRandomToken()

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2011-10-11

Created: 2011-10-11

Creator: Bastian Waidelich

Private: No

Calling Security_Randomizer::getRandomToken(16) on a Windows 7 (64bit) system always returns the string "00000000000000000000000000000000".
The reason is that getRandomBytes() falls back to md_rand and then converts the result into some weird bytes (��) which result in the above when converted with bin2hex().

Discussion

Bastian Waidelich - 2011-10-11

I could boil it down to the code "$source += uniqid('', true));" (line 245 in Security_Randomizer.php): That line appends the string returned by uniqid() to the $source which is expected to be an integer.
Commenting out that line fixes the issue for me, but there might be a better solution!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Anonymous - 2011-10-12

$source += hexdec(uniqid('', true)));
should work I guess...

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bastian Waidelich - 2011-10-12

hexdec() won't work here.
FYI: We are using this library in the FLOW3 PHP Framework, You can find the according bug report here: http://forge.typo3.org/issues/29976

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

No randomness in Security_Randomizer::getRandomToken()

Group

Searches

Help

#1 No randomness in Security_Randomizer::getRandomToken()

Discussion