Permalink
Browse files

Merge pull request #75 from oittaa/patch-1

Use random_bytes if available, drop SHA-512

Merging, thanks for PR.
Apologies for late merge, was on vacation.
  • Loading branch information...
mebjas committed Apr 12, 2017
2 parents 6a51f1c + 2f3b171 commit aec0d6966992363a7192b2ae9fb0a9643e8fa26b
Showing with 9 additions and 6 deletions.
  1. +2 −1 .travis.yml
  2. +5 −5 libs/csrf/csrfprotector.php
  3. +2 −0 test/csrfprotector_test.php
View
@@ -31,6 +31,7 @@ before_script:
script:
- mkdir -p build/logs
+ - if [ $(phpenv version-name) = 'hhvm' ]; then echo 'xdebug.enable=1' >> /etc/hhvm/php.ini; fi
- phpunit --stderr --coverage-clover build/logs/clover.xml
after_script:
@@ -42,4 +43,4 @@ after_success:
cache:
directories:
- vendor
- - $HOME/.cache/composer
+ - $HOME/.cache/composer
@@ -354,7 +354,7 @@ public static function refreshToken()
public static function generateAuthToken()
{
// todo - make this a member method / configurable
- $randLength = 32;
+ $randLength = 64;
//if config tokenLength value is 0 or some non int
if (intval(self::$config['tokenLength']) == 0) {
@@ -363,10 +363,10 @@ public static function generateAuthToken()
//#todo - if $length > 128 throw exception
- if (function_exists("hash_algos")
- && function_exists("openssl_random_pseudo_bytes")
- && in_array("sha512", hash_algos())) {
- $token = hash("sha512", openssl_random_pseudo_bytes ($randLength));
+ if (function_exists("random_bytes")) {
+ $token = bin2hex(random_bytes($randLength));
+ } elseif (function_exists("openssl_random_pseudo_bytes")) {
+ $token = bin2hex(openssl_random_pseudo_bytes($randLength));
} else {
$token = '';
for ($i = 0; $i < 128; ++$i) {
@@ -356,10 +356,12 @@ public function testGenerateAuthToken()
$this->assertFalse($token1 == $token2);
$this->assertEquals(strlen($token1), 20);
+ $this->assertRegExp('/^[a-z0-9]{20}$/', $token1);
csrfprotector::$config['tokenLength'] = 128;
$token = csrfprotector::generateAuthToken();
$this->assertEquals(strlen($token), 128);
+ $this->assertRegExp('/^[a-z0-9]{128}$/', $token);
}
/**

0 comments on commit aec0d69

Please sign in to comment.