Skip to content
This repository has been archived by the owner on May 16, 2018. It is now read-only.

Commit

Permalink
Merge branch 'security/zf2016-01'
Browse files Browse the repository at this point in the history
Patch for ZF2016-01
  • Loading branch information
weierophinney committed Apr 13, 2016
2 parents 3b045d0 + dbb9c8e commit 94c13a2
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 19 deletions.
10 changes: 5 additions & 5 deletions library/Zend/Crypt/Math.php
Original file line number Diff line number Diff line change
Expand Up @@ -77,11 +77,8 @@ public static function randBytes($length, $strong = false)
if ($length <= 0) {
return false;
}
if (function_exists('openssl_random_pseudo_bytes')) {
$bytes = openssl_random_pseudo_bytes($length, $usable);
if ($strong === $usable) {
return $bytes;
}
if (function_exists('random_bytes')) { // available in PHP 7
return random_bytes($length);
}
if (function_exists('mcrypt_create_iv')) {
$bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
Expand Down Expand Up @@ -134,6 +131,9 @@ public static function randInteger($min, $max, $strong = false)
'The supplied range is too great to generate'
);
}
if (function_exists('random_int')) { // available in PHP 7
return random_int($min, $max);
}
// calculate number of bits required to store range on this machine
$r = $range;
$bits = 0;
Expand Down
6 changes: 4 additions & 2 deletions library/Zend/Filter/Encrypt/Mcrypt.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@
*/
require_once 'Zend/Filter/Encrypt/Interface.php';

/** @see Zend_Crypt_Math */
require_once 'Zend/Crypt/Math.php';

/**
* Encryption adapter for mcrypt
*
Expand Down Expand Up @@ -355,9 +358,8 @@ protected function _srand()
if (version_compare(PHP_VERSION, '5.3.0', '>=')) {
return;
}

if (!self::$_srandCalled) {
srand((double) microtime() * 1000000);
srand(Zend_Crypt_Math::randInteger(0, PHP_INT_MAX));
self::$_srandCalled = true;
}
}
Expand Down
8 changes: 4 additions & 4 deletions library/Zend/Form/Element/Hash.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@
/** Zend_Form_Element_Xhtml */
require_once 'Zend/Form/Element/Xhtml.php';

/** @see Zend_Crypt_Math */
require_once 'Zend/Crypt/Math.php';

/**
* CSRF form protection
*
Expand Down Expand Up @@ -249,10 +252,7 @@ public function render(Zend_View_Interface $view = null)
protected function _generateHash()
{
$this->_hash = md5(
mt_rand(1,1000000)
. $this->getSalt()
. $this->getName()
. mt_rand(1,1000000)
Zend_Crypt_Math::randBytes(32)
);
$this->setValue($this->_hash);
}
Expand Down
5 changes: 4 additions & 1 deletion library/Zend/Gdata/HttpClient.php
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@
*/
require_once 'Zend/Http/Client.php';

/** @see Zend_Crypt_Math */
require_once 'Zend/Crypt/Math.php';

/**
* Gdata Http Client object.
*
Expand Down Expand Up @@ -210,7 +213,7 @@ public function filterHttpRequest($method, $url, $headers = array(), $body = nul
if ($this->getAuthSubPrivateKeyId() != null) {
// secure AuthSub
$time = time();
$nonce = mt_rand(0, 999999999);
$nonce = Zend_Crypt_Math::randInteger(0, 999999999);
$dataToSign = $method . ' ' . $url . ' ' . $time . ' ' . $nonce;

// compute signature
Expand Down
7 changes: 5 additions & 2 deletions library/Zend/Ldap/Attribute.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@
*/
require_once 'Zend/Ldap/Converter.php';

/** @see Zend_Crypt_Math */
require_once 'Zend/Crypt/Math.php';

/**
* Zend_Ldap_Attribute is a collection of LDAP attribute related functions.
*
Expand Down Expand Up @@ -311,7 +314,7 @@ public static function createPassword($password, $hashType = self::PASSWORD_HASH
}
return $password;
case self::PASSWORD_HASH_SSHA:
$salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4);
$salt = Zend_Crypt_Math::randBytes(4);
$rawHash = sha1($password . $salt, true) . $salt;
$method = '{SSHA}';
break;
Expand All @@ -320,7 +323,7 @@ public static function createPassword($password, $hashType = self::PASSWORD_HASH
$method = '{SHA}';
break;
case self::PASSWORD_HASH_SMD5:
$salt = substr(sha1(uniqid(mt_rand(), true), true), 0, 4);
$salt = Zend_Crypt_Math::randBytes(4);
$rawHash = md5($password . $salt, true) . $salt;
$method = '{SMD5}';
break;
Expand Down
9 changes: 4 additions & 5 deletions library/Zend/OpenId.php
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@
*/
require_once "Zend/Controller/Response/Abstract.php";

/** @see Zend_Crypt_Math */
require_once 'Zend/Crypt/Math.php';

/**
* Static class that contains common utility functions for
* {@link Zend_OpenId_Consumer} and {@link Zend_OpenId_Provider}.
Expand Down Expand Up @@ -474,11 +477,7 @@ static public function redirect($url, $params = null,
*/
static public function randomBytes($len)
{
$key = '';
for($i=0; $i < $len; $i++) {
$key .= chr(mt_rand(0, 255));
}
return $key;
return (string) Zend_Crypt_Math::randBytes($len);
}

/**
Expand Down

0 comments on commit 94c13a2

Please sign in to comment.