mirror
/
plugin-update-checker
mirror of https://github.com/YahnisElsts/plugin-update-checker.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use random_bytes() when generating OAuth nonces. 

mt_rand() is not cryptographically secure. This probably doesn't matter that much in most cases because it only affects BitBucket API interactions that already happen over HTTPS, but why not use a better option when it's available?

Closes #233
This commit is contained in:
Yahnis Elsts 2018-10-23 13:23:48 +03:00
parent f11ffce720
commit ea633a91b3
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Puc/v4p4/OAuthSignature.php
View File

@ -80,7 +80,19 @@ if ( !class_exists('Puc_v4p4_OAuthSignature', false) ):
*/ */
private function nonce() { private function nonce() {
$mt = microtime(); $mt = microtime();
$rand = mt_rand();
$rand = null;
if ( is_callable('random_bytes') ) {
try {
$rand = random_bytes(16);
} catch (Exception $ex) {
//Fall back to mt_rand (below).
}
}
if ( $rand === null ) {
$rand = mt_rand();
}
return md5($mt . '_' . $rand); return md5($mt . '_' . $rand);
} }
} }