From ede188815b65abcd16b4f1b125b63d269b9779ce Mon Sep 17 00:00:00 2001 From: Frédéric Guillot Date: Fri, 14 Mar 2014 21:08:15 -0400 Subject: Improve token generation by using openssl or /dev/urandom or uniqid() as fallback --- models/base.php | 43 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) (limited to 'models') diff --git a/models/base.php b/models/base.php index 6a1dea97..9b5dc67f 100644 --- a/models/base.php +++ b/models/base.php @@ -14,27 +14,58 @@ require __DIR__.'/../vendor/SimpleValidator/Validators/AlphaNumeric.php'; require __DIR__.'/../vendor/SimpleValidator/Validators/GreaterThan.php'; require __DIR__.'/../vendor/SimpleValidator/Validators/Date.php'; +/** + * Base model class + * + * @package model + * @author Frederic Guillot + */ abstract class Base { + /** + * Database instance + * + * @access protected + * @var PicoDb + */ protected $db; + + /** + * Event dispatcher instance + * + * @access protected + * @var Core\Event + */ protected $event; + /** + * Constructor + * + * @access public + * @param PicoDb\Database $db Database instance + * @param Core\Event $event Event dispatcher instance + */ public function __construct(\PicoDb\Database $db, \Core\Event $event) { $this->db = $db; $this->event = $event; } - // Generate a random token from /dev/urandom or with uniqid() + /** + * Generate a random token with different methods: openssl or /dev/urandom or fallback to uniqid() + * + * @access public + * @return string Random token + */ public static function generateToken() { - if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') { - $token = file_get_contents('/dev/urandom', false, null, 0, 30); + if (function_exists('openssl_random_pseudo_bytes')) { + return bin2hex(\openssl_random_pseudo_bytes(16)); } - else { - $token = uniqid(mt_rand(), true); + else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') { + return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30)); } - return hash('crc32b', $token); + return hash('sha256', uniqid(mt_rand(), true)); } } -- cgit v1.2.3