From ea633a91b3917b2f5af250f1bb012a77efcbb9cd Mon Sep 17 00:00:00 2001
From: Yahnis Elsts <whiteshadow@w-shadow.com>
Date: Tue, 23 Oct 2018 13:23:48 +0300
Subject: [PATCH] Use random_bytes() when generating OAuth nonces.

mt_rand() is not cryptographically secure. This probably doesn't matter that much in most cases because it only affects BitBucket API interactions that already happen over HTTPS, but why not use a better option when it's available?

Closes #233
---
 Puc/v4p4/OAuthSignature.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/Puc/v4p4/OAuthSignature.php b/Puc/v4p4/OAuthSignature.php
index 90b16df..5afcb70 100644
--- a/Puc/v4p4/OAuthSignature.php
+++ b/Puc/v4p4/OAuthSignature.php
@@ -80,7 +80,19 @@ if ( !class_exists('Puc_v4p4_OAuthSignature', false) ):
 		 */
 		private function nonce() {
 			$mt = microtime();
-			$rand = mt_rand();
+
+			$rand = null;
+			if ( is_callable('random_bytes') ) {
+				try {
+					$rand = random_bytes(16);
+				} catch (Exception $ex) {
+					//Fall back to mt_rand (below).
+				}
+			}
+			if ( $rand === null ) {
+				$rand = mt_rand();
+			}
+
 			return md5($mt . '_' . $rand);
 		}
 	}