diff options
| author | Brad Jorsch <bjorsch@wikimedia.org> | 2015-10-14 17:40:42 -0400 |
|---|---|---|
| committer | Chad Horohoe <chadh@wikimedia.org> | 2015-12-18 01:22:35 -0800 |
| commit | 4826c44e9bd7d5ee5e63f0a48fbbe3b5b033620e (patch) | |
| tree | 0279250afb31fb91f8cb2f1a20abe889758686f6 /includes/password/PasswordFactory.php | |
| parent | e95721aae1daad4503eb23d87a114f363b324442 (diff) | |
| download | mediawikicore-4826c44e9bd7d5ee5e63f0a48fbbe3b5b033620e.tar.gz mediawikicore-4826c44e9bd7d5ee5e63f0a48fbbe3b5b033620e.zip | |
[SECURITY] 0-pad to length in random string generation
Otherwise shorter strings might be generated.
Bug: T115522
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: I110d873d56762552060fd428c236c8b0e9a859b0
Diffstat (limited to 'includes/password/PasswordFactory.php')
| -rw-r--r-- | includes/password/PasswordFactory.php | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/includes/password/PasswordFactory.php b/includes/password/PasswordFactory.php index 6b634cbea701..f80e158b9d4b 100644 --- a/includes/password/PasswordFactory.php +++ b/includes/password/PasswordFactory.php @@ -200,11 +200,10 @@ final class PasswordFactory { // stopping at a minimum of 10 chars. $length = max( 10, $minLength ); // Multiply by 1.25 to get the number of hex characters we need - $length = $length * 1.25; // Generate random hex chars - $hex = MWCryptRand::generateHex( $length ); + $hex = MWCryptRand::generateHex( ceil( $length * 1.25 ) ); // Convert from base 16 to base 32 to get a proper password like string - return Wikimedia\base_convert( $hex, 16, 32 ); + return substr( Wikimedia\base_convert( $hex, 16, 32, $length ), -$length ); } /** |