From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 14 Oct 2015 21:40:42 +0000 (-0400)
Subject: [SECURITY] 0-pad to length in random string generation
X-Git-Tag: 1.31.0-rc.0~8635
X-Git-Url: http://git.cyclocoop.org//%22%22.str_replace%28%27%22%27%2C?a=commitdiff_plain;h=4826c44e9bd7d5ee5e63f0a48fbbe3b5b033620e;p=lhc%2Fweb%2Fwiklou.git

[SECURITY] 0-pad to length in random string generation

Otherwise shorter strings might be generated.

Bug: T115522
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: I110d873d56762552060fd428c236c8b0e9a859b0
---

diff --git a/includes/password/PasswordFactory.php b/includes/password/PasswordFactory.php
index 6b634cbea7..f80e158b9d 100644
--- a/includes/password/PasswordFactory.php
+++ b/includes/password/PasswordFactory.php
@@ -200,11 +200,10 @@ final class PasswordFactory {
 		// stopping at a minimum of 10 chars.
 		$length = max( 10, $minLength );
 		// Multiply by 1.25 to get the number of hex characters we need
-		$length = $length * 1.25;
 		// Generate random hex chars
-		$hex = MWCryptRand::generateHex( $length );
+		$hex = MWCryptRand::generateHex( ceil( $length * 1.25 ) );
 		// Convert from base 16 to base 32 to get a proper password like string
-		return Wikimedia\base_convert( $hex, 16, 32 );
+		return substr( Wikimedia\base_convert( $hex, 16, 32, $length ), -$length );
 	}
 
 	/**