View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
5898Composrcorepublic2024-08-18 22:082024-08-18 22:09
ReporterPDStig Assigned ToPDStig  
PriorityhighSeveritytrivial 
Status resolvedResolutionfixed 
Product Version11.beta1 
Summary5898: Make get_secure_random_string more secure
Descriptionget_secure_random_string was not, in fact, cryptographically secure because we were converting the random bytes to MD5.

This patch modifies the function in three ways:
* We generate a string character-by-character without using hashing.
* We use base32 instead of base16 (numbers and lowercase letters, except for 0, 1, l, and o).
* A param can be specified to change the length from the original forced 13 bytes.
TagsRoadmap: v11, Type: Security
Attach Tags
Attached Files
Time estimation (hours)
Sponsorship open

Sponsor

Date Added Member Amount Sponsored

Activities

admin

2024-08-18 22:08

administrator   ~9240

Fixed in Git commit 430f2b8197 (https://gitlab.com/composr-foundation/composr/commit/430f2b8197 - link will become active once code pushed to GitLab)
hotfix-5898, 2024-08-18 10pm.tar (87,040 bytes)

admin

2024-08-18 22:08

administrator   ~9241

A hotfix (a TAR of files to upload) has been uploaded to this issue. Only apply this hotfix if you absolutely need it and cannot wait until the next release of Composr (releases are more reliable and strictly tested). As of Composr version 11, the recommended way to apply a hotfix is by following the same steps as an upgrade (https://baseurl/upgrader.php, use the hotfix on the step “Transfer across new/updated files”). The upgrader will automatically skip files belonging to addons you do not have installed or that are newer on disk than in the hotfix. Otherwise, you can manually extract and replace these files (do not replace if your on-disk file is newer than the one in the hotfix). Always take backups of your site or at least files you are replacing before applying a hotfix. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/).

Issue History

Date Modified Username Field Change
2024-08-18 22:08 PDStig Tag Attached: Roadmap: v11
2024-08-18 22:08 PDStig Tag Attached: Type: Security
2024-08-18 22:09 PDStig Description Updated