Fix bug #47890 #73215 uniqid() should use better random source

php · Oct 18, 2016 · 48f1a17 · 48f1a17
1 parent 0b596f8
commit 48f1a17
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/ext/standard/uniqid.c b/ext/standard/uniqid.c
@@ -35,9 +35,11 @@
 #include <sys/time.h>
 #endif
 
-#include "php_lcg.h"
+#include "php_random.h"
 #include "uniqid.h"
 
+#define PHP_UNIQID_ENTROPY_LEN 10
+
 /* {{{ proto string uniqid([string prefix [, bool more_entropy]])
    Generates a unique ID */
 #ifdef HAVE_GETTIMEOFDAY
@@ -77,7 +79,22 @@ PHP_FUNCTION(uniqid)
 	 * digits for usecs.
 	 */
 	if (more_entropy) {
-		uniqid = strpprintf(0, "%s%08x%05x%.8F", prefix, sec, usec, php_combined_lcg() * 10);
+		int i;
+		unsigned char c, entropy[PHP_UNIQID_ENTROPY_LEN+1];
+
+		for(i = 0; i < PHP_UNIQID_ENTROPY_LEN;) {
+			php_random_bytes_throw(&c, sizeof(c));
+			/* Avoid modulo bias */
+			if (c > 249) {
+				continue;
+			}
+			entropy[i] = c % 10 + '0';
+			i++;
+		}
+		/* Set . for compatibility */
+		entropy[1] = '.';
+		entropy[PHP_UNIQID_ENTROPY_LEN] = '\0';
+		uniqid = strpprintf(0, "%s%08x%05x%s", prefix, sec, usec, entropy);
 	} else {
 		uniqid = strpprintf(0, "%s%08x%05x", prefix, sec, usec);
 	}