Skip to content

Commit

Permalink
Switched uniqid for random_bytes.
Browse files Browse the repository at this point in the history 
uniqid isn't cryptographically secure, it is a pseudorandom number generator meaning that its values can be deduced or easily guessed within a computationally reasonable amount of guesses, this branch removes its security-oriented implementations and uses random_bytes instead.

Note: When a CRNG is not required, uniqid and other functions similar to it (e.g mt_rand & rand) are fine to use as PRNGs which is why I've left it in use for the filename-generation system.
  • Loading branch information
@michaellrowley
michaellrowley committed Jul 31, 2021
1 parent de9f3d9 commit b345d6a
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 10 deletions.
4 changes: 2 additions & 2 deletions app/Http/Controllers/Auth/RegisterController.php
View file
Expand Up @@ -74,8 +74,8 @@ public function register(Request $request, $code = null)
$user->username = $request->input('username');
$user->email = $request->input('email');
$user->password = Hash::make($request->input('password'));
$user->passkey = \md5(\uniqid('', true).\time().\microtime());
$user->rsskey = \md5(\uniqid('', true).\time().\microtime().$user->password);
$user->passkey = \md5(\random_bytes(60));
$user->rsskey = \md5(\random_bytes(60).$user->password);
$user->uploaded = \config('other.default_upload');
$user->downloaded = \config('other.default_download');
$user->style = \config('other.default_style', 0);
Expand Down
4 changes: 2 additions & 2 deletions database/factories/UserFactory.php
View file
Expand Up @@ -31,7 +31,7 @@ public function definition()
'username' => $this->faker->unique()->userName,
'email' => $this->faker->unique()->safeEmail,
'password' => \bcrypt('secret'),
'passkey' => \md5(\uniqid('', true).\time().\microtime()),
'passkey' => \md5(\random_bytes(60)),
'group_id' => fn () => Group::factory()->create()->id,
'active' => true,
'uploaded' => $this->faker->randomNumber(),
Expand All @@ -44,7 +44,7 @@ public function definition()
'seedbonus' => $this->faker->randomFloat(),
'invites' => $this->faker->randomNumber(),
'hitandruns' => $this->faker->randomNumber(),
'rsskey' => \md5(\uniqid('', true).\time().\microtime()),
'rsskey' => \md5(\random_bytes(60)),
'chatroom_id' => fn () => Chatroom::factory()->create()->id,
'censor' => $this->faker->boolean,
'chat_hidden' => $this->faker->boolean,
Expand Down
12 changes: 6 additions & 6 deletions database/seeders/UsersTableSeeder.php
View file
Expand Up @@ -46,8 +46,8 @@ private function getUsers()
'email' => config('unit3d.default-owner-email'),
'group_id' => 9,
'password' => \Hash::make(config('unit3d.default-owner-password')),
'passkey' => md5(uniqid().time().microtime()),
'rsskey' => md5(uniqid().time()),
'passkey' => md5(random_bytes(60)),
'rsskey' => md5(random_bytes(60)),
'api_token' => Str::random(100),
'active' => 1,
],
Expand All @@ -56,8 +56,8 @@ private function getUsers()
'email' => config('unit3d.default-owner-email'),
'group_id' => 9,
'password' => \Hash::make(config('unit3d.default-owner-password')),
'passkey' => md5(uniqid().time().microtime()),
'rsskey' => md5(uniqid().time()),
'passkey' => md5(random_bytes(60)),
'rsskey' => md5(random_bytes(60)),
'api_token' => Str::random(100),
'active' => 1,
],
Expand All @@ -66,8 +66,8 @@ private function getUsers()
'email' => config('unit3d.default-owner-email'),
'group_id' => 10,
'password' => \Hash::make(config('unit3d.default-owner-password')),
'passkey' => md5(uniqid().time().microtime()),
'rsskey' => md5(uniqid().time()),
'passkey' => md5(random_bytes(60)),
'rsskey' => md5(random_bytes(60)),
'api_token' => Str::random(100),
'active' => 1,
],
Expand Down

0 comments on commit b345d6a

Please sign in to comment.