insane token params

[thelounge-zz]

may you guys consider instead crap like "&token=hzRo%3F6v~*95v'_7]" where intrusion detection systems react create tokens like every normal person on this plant with hash functions?

[thelounge-zz]

and errors like "PHP Warning: Unknown: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0" triggered by various exports sucks too - triggered by a user

may you consider roll back to the version before ajax and forget any "development" which happened from then?

[thelounge-zz]

BTW: it's the f**ing ~ - who the hell is using that in a GET request on servers where you don't serve userhomes and backup files to the world?

[thelounge-zz]

guess what - gefore phpMyAdmin 4.8.x no problem

18.05.2013

SecRule REQUEST_URI "~" "id:'121',phase:1,status:404,nolog,t:none,t:htmlEntityDecode,t:urlDecodeUni,t:removeWhitespace,t:replaceNulls,block"

[williamdes]

@ibennetch @MauricioFauth

[mynetx]

From Util.php, lines 4761+:

    public static function generateRandom($length)
    {
        $result = '';
        if (class_exists('phpseclib\\Crypt\\Random')) {
            $random_func = [
                'phpseclib\\Crypt\\Random',
                'string',
            ];
        } else {
            $random_func = 'openssl_random_pseudo_bytes';
        }
        while (strlen($result) < $length) {
            // Get random byte and strip highest bit
            // to get ASCII only range
            $byte = ord($random_func(1)) & 0x7f;
            // We want only ASCII chars
            if ($byte > 32) {
                $result .= chr($byte);
            }
        }
        return $result;
    }

The problem here is that the returned random string can also contain URL-problematic characters, like ~ and #.

After taking a look at the ASCII table, I suggest to remove the interval from U+0021 (33) to U+002B (43) and thus exclude these characters from the allowed set:

Unicode codepoint	Decimal	character
U+0021	33	!
U+0022	34	"
U+0023	35	#
U+0024	36	$
U+0025	37	%
U+0026	38	&
U+0027	39	'
U+0028	40	(
U+0029	41	)
U+002A	42	*
U+002B	43	+

In addition, I’d add a blacklist for these characters:

Unicode codepoint	Decimal	character
U+003C	60	<
U+003E	62	>
U+003F	63	?
U+0060	96	`
U+007E	126	~

The most effective approach may be either:

• To use a hash library (suggesting sha256 – need to check phpMyAdmin’s dependencies on the php-hash extension though), applied on the raw string generated in generateRandom(), or
• To provide a whitelist of allowed characters vs. forbidden ones.

Performance considerations are not that important in my opinion, since the token is not regenerated on every user action, but instead stored in the session.

Open to input from the others here.

[thelounge-zz]

seriously why do people these days need for every trivial piece of code complex solutions, libraries and frameworks?

php > echo bin2hex(openssl_random_pseudo_bytes(30));
09f233736262e11d4a1e24be2833c539b48d6804b50cc565ebd04fa9132b

php > echo bin2hex(random_bytes(30));
0448309d9f75c816242a3ed1f196e6ccb761bf9e44951012106b5a430dbe

bin2hex(generateRandom()) and you are done for the sake of god if ypu can#t live without using at least one framework

[williamdes]

@thelounge-zz We will now use hex for the session token 🎉 !
Will be part of next version

[thelounge-zz]

thanks