From 4826c44e9bd7d5ee5e63f0a48fbbe3b5b033620e Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Wed, 14 Oct 2015 17:40:42 -0400 Subject: [PATCH] [SECURITY] 0-pad to length in random string generation Otherwise shorter strings might be generated. Bug: T115522 Signed-off-by: Chad Horohoe Change-Id: I110d873d56762552060fd428c236c8b0e9a859b0 --- includes/password/PasswordFactory.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/includes/password/PasswordFactory.php b/includes/password/PasswordFactory.php index 6b634cbea7..f80e158b9d 100644 --- a/includes/password/PasswordFactory.php +++ b/includes/password/PasswordFactory.php @@ -200,11 +200,10 @@ final class PasswordFactory { // stopping at a minimum of 10 chars. $length = max( 10, $minLength ); // Multiply by 1.25 to get the number of hex characters we need - $length = $length * 1.25; // Generate random hex chars - $hex = MWCryptRand::generateHex( $length ); + $hex = MWCryptRand::generateHex( ceil( $length * 1.25 ) ); // Convert from base 16 to base 32 to get a proper password like string - return Wikimedia\base_convert( $hex, 16, 32 ); + return substr( Wikimedia\base_convert( $hex, 16, 32, $length ), -$length ); } /** -- 2.20.1