From cc8258cb3cb36c39e24e64b8c93682fff9acb16a Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Wed, 29 Jan 2020 11:12:21 +0100 Subject: [PATCH] use random_bytes(32) which throws for not enought entropy --- api/src/Csrf.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/src/Csrf.php b/api/src/Csrf.php index 1924513f9f..03332a54bf 100644 --- a/api/src/Csrf.php +++ b/api/src/Csrf.php @@ -31,6 +31,8 @@ class Csrf * * @param mixed $_purpose =true if given it need to be used in validate too! (It must NOT be NULL) * @return string CSRF token + * @throws Exception\WrongParameter + * @throws \Exception if it was not possible to gather sufficient entropy. */ public static function token($_purpose=true) { @@ -39,9 +41,7 @@ class Csrf throw new Exception\WrongParameter(__METHOD__.'(NULL) $_purspose must NOT be NULL!'); } // generate random token (using oppenssl if available otherwise mt_rand based Auth::randomstring) - $token = function_exists('openssl_random_pseudo_bytes') ? - base64_encode(openssl_random_pseudo_bytes(64)) : - Auth::randomstring(64); + $token = base64_encode(random_bytes(32)); // store it in session for later validation Cache::setSession(__CLASS__, $token, $_purpose);