No randomness in Security_Randomizer::getRandomToken()
Brought to you by:
kaisellgren
Calling Security_Randomizer::getRandomToken(16) on a Windows 7 (64bit) system always returns the string "00000000000000000000000000000000".
The reason is that getRandomBytes() falls back to md_rand and then converts the result into some weird bytes (����������������) which result in the above when converted with bin2hex().
I could boil it down to the code "$source += uniqid('', true));" (line 245 in Security_Randomizer.php): That line appends the string returned by uniqid() to the $source which is expected to be an integer.
Commenting out that line fixes the issue for me, but there might be a better solution!
$source += hexdec(uniqid('', true)));
should work I guess...
hexdec() won't work here.
FYI: We are using this library in the FLOW3 PHP Framework, You can find the according bug report here: http://forge.typo3.org/issues/29976