Fixed MANTIS-5898 (Make get_secure_random_string more secure)

430f2b81 · Patrick Schmalstig · 179381c0 · 430f2b81 · 430f2b81
Commit 430f2b81 authored 7 months ago by Patrick Schmalstig
--- a/sources/crypt.php
+++ b/sources/crypt.php
@@ -93,23 +93,36 @@ function get_site_salt() : string
 {
    $site_salt = get_value('site_salt');
    if ($site_salt === null) {
-        $site_salt = get_secure_random_string();
+        $site_salt = get_secure_random_string(32); // We are going to MD5 it so it should be long to increase variability
        set_value('site_salt', $site_salt);
    }
    return md5($site_salt);
 }

 /**
- * Get a randomised string acceptable for use as tokens, etc.
- * Will be 13 bytes long and base16. Do not use for passwords; use get_secure_random_password() instead.
+ * Get a URL-safe alphanumeric randomised string acceptable for use as tokens, etc.
+ * Do not use for passwords because it does not contain symbols; use get_secure_random_password() instead.
 *
+ * @param  integer The length of the string in bytes
 * @return string The randomised password
 */
-function get_secure_random_string() : string
+function get_secure_random_string(int $bytes = 13) : string
 {
-    // md5 used in the below so that we get nice ASCII characters
-
-    return substr(md5(random_bytes(13)), 0, 13);
+    /*
+     * We only use lowercase letters due to case sensitivity inconsistencies between operating systems.
+     * For maximum cryptographic security, the length must be a power of 2.
+     * Therefore, we took letters + numbers (36) and removed 1/l, and 0/o (32) as they look similar.
+     */
+    $characters = '23456789abcdefghijkmnpqrstuvwxyz';
+    $characters_length = strlen($characters);
+
+    $random_string = '';
+    for ($i = 0; $i < $bytes; $i++) {
+        $random_byte = random_bytes(1);
+        $random_index = ord($random_byte) % $characters_length; // Convert byte to index
+        $random_string .= $characters[$random_index];
+    }
+    return $random_string;
 }

 /**

--- a/sources/forum/phpbb3.php
+++ b/sources/forum/phpbb3.php
@@ -1461,7 +1461,7 @@ class Forum_driver_phpbb3 extends Forum_driver_base

        require_code('crypt');

-        $hash = substr(get_secure_random_string(), 0, 17);
+        $hash = get_secure_random_string(17);
        $this->db->query_insert('sessions_keys', ['key_id' => md5($hash), 'user_id' => $member_id, 'last_ip' => strval(ip2long(get_ip_address())), 'last_login' => time()]);

        if (substr($member_cookie_name, 0, 5) != 'cms__') {