From f75c400db44387863abbc0f6f2944df546d5a137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20Calvo?= Date: Fri, 15 Jun 2018 19:22:35 +0200 Subject: [PATCH 1/2] [ticket/15693] Fix get_rand_string() PHPBB3-15693 --- phpBB/includes/functions.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 4aae84705b..3b3218a3aa 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -71,7 +71,7 @@ function set_var(&$result, $var, $type, $multibyte = false) function gen_rand_string($num_chars = 8) { // [a, z] + [0, 9] = 36 - return substr(strtoupper(base_convert(unique_id(), 16, 36)), 0, $num_chars); + return substr(strtoupper(base_convert(bin2hex(random_bytes($num_chars)), 16, 36)), 0, $num_chars); } /** @@ -82,7 +82,7 @@ function gen_rand_string($num_chars = 8) */ function gen_rand_string_friendly($num_chars = 8) { - $rand_str = unique_id(); + $rand_str = bin2hex(random_bytes($num_chars)); // Remove Z and Y from the base_convert(), replace 0 with Z and O with Y // [a, z] + [0, 9] - {z, y} = [a, z] + [0, 9] - {0, o} = 34 From 9e50e52fa5c72ee668c0d4c43b15e441f31ada5c Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 17 Jun 2018 11:01:11 +0200 Subject: [PATCH 2/2] [ticket/15693] Update tests to reflect changes to gen_rand_string() PHPBB3-15693 --- phpBB/includes/functions.php | 4 ++++ tests/random/gen_rand_string_test.php | 10 ++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 3b3218a3aa..270d513a26 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -66,6 +66,8 @@ function set_var(&$result, $var, $type, $multibyte = false) /** * Generates an alphanumeric random string of given length * +* @param int $num_chars Length of random string, defaults to 8 +* * @return string */ function gen_rand_string($num_chars = 8) @@ -78,6 +80,8 @@ function gen_rand_string($num_chars = 8) * Generates a user-friendly alphanumeric random string of given length * We remove 0 and O so users cannot confuse those in passwords etc. * +* @param int $num_chars Length of random string, defaults to 8 +* * @return string */ function gen_rand_string_friendly($num_chars = 8) diff --git a/tests/random/gen_rand_string_test.php b/tests/random/gen_rand_string_test.php index a9d1ea20de..428db6ac98 100644 --- a/tests/random/gen_rand_string_test.php +++ b/tests/random/gen_rand_string_test.php @@ -40,7 +40,10 @@ class phpbb_random_gen_rand_string_test extends phpbb_test_case $random_string_length = strlen($random_string); $this->assertTrue($random_string_length >= self::MIN_STRING_LENGTH); - $this->assertTrue($random_string_length <= $num_chars); + $this->assertTrue( + $random_string_length == $num_chars, + sprintf('Failed asserting that random string length matches expected length. Expected %1$u, Actual %2$u', $num_chars, $random_string_length) + ); $this->assertRegExp('#^[A-Z0-9]+$#', $random_string); } } @@ -56,7 +59,10 @@ class phpbb_random_gen_rand_string_test extends phpbb_test_case $random_string_length = strlen($random_string); $this->assertTrue($random_string_length >= self::MIN_STRING_LENGTH); - $this->assertTrue($random_string_length <= $num_chars); + $this->assertTrue( + $random_string_length == $num_chars, + sprintf('Failed asserting that random string length matches expected length. Expected %1$u, Actual %2$u', $num_chars, $random_string_length) + ); $this->assertRegExp('#^[A-NP-Z1-9]+$#', $random_string); } }