6.0.0-alpha10
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
5/16/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#7447] Audit for inappropriate use of mt_rand()
*
Your Email Address
*
Spam protection
Enter the letters below:
. ..___.__ .__.. . |\/|[__ [__)| || | | |[___[__)|__||/\|
Comment
> The question is, what else to we use (additionally?) as a secret or > source of randomness? /dev/urandom is not available on all systems. > Our pre-generated secret_key doesn't change. > In Horde_Support we use: > - php_uname('n') or ip address (not random, only to avoid collisions) > - uniqid() (with the more-entropy parameter a good candidate) > - zend_thread_id()/getmypid() (short) > - microtime() (predictable) > > Horde_Oauth and Horde_Token use microtime() resp. time() for Nonces. > > This needs to applied to: > Horde_Auth::getSalt(), genRandomPassword() (salt and password generation) > Horde_ActiveSync_State_Base::generatePolicyKey() > Horde_Secret::setKey() > Shout::genDeviceAuth() > > And probably to share and object ids and resources too, since they > could be used to share hidden shares/objects through a secret url: > Horde_Core_Imsp_Utils::synchShares() > Kronolith_Resource::addResource() > Turba_Driver::_makeKey() > > I'm unsure about: > Kolab_Storage > > Only if being anal for: > Horde_Form_Type_image::getRandomId() > Horde_Util::createTempDir() > Gollem_Api::setSelectlist()
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers