danog/Valinor
1
0
Fork 0
mirror of https://github.com/danog/Valinor.git synced 2024-11-30 04:39:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

misc: do not use uniqid()

Browse Source 
The return value of `uniqid()` is not very random and easily guessable. While
this likely does not introduce any issues in CompiledPhpFileCache, the fact
that `uniqid()` is often mis-used in locations where actual randomness is a
hard requirement, makes this a red flag.

Replace the use of `uniqid()` to generate a random filename by hexadecimal
encoded `random_bytes(16)`, giving 128 Bits of randomness, making the value
unguessable in practice and preventing the `CompiledPhpFileCache` from showing
up when searching for `uniqid()`.
This commit is contained in:
Tim Düsterhus 2022-10-25 10:39:50 +02:00 committed by Romain Canon
parent 027d2a43da
commit b81847839d
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Cache/Compiled/CompiledPhpFileCache.php
View File

@ -16,14 +16,15 @@ use Psr\SimpleCache\CacheInterface;
use Traversable; use Traversable;
use function assert; use function assert;
use function bin2hex;
use function file_exists; use function file_exists;
use function file_put_contents; use function file_put_contents;
use function is_dir; use function is_dir;
use function mkdir; use function mkdir;
use function random_bytes;
use function rename; use function rename;
use function sha1; use function sha1;
use function time; use function time;
use function uniqid;
use function unlink; use function unlink;
/** /**
@ -93,7 +94,7 @@ final class CompiledPhpFileCache implements CacheInterface
} }
/** @infection-ignore-all */ /** @infection-ignore-all */
$tmpFilename = $tmpDir . DIRECTORY_SEPARATOR . uniqid('', true); $tmpFilename = $tmpDir . DIRECTORY_SEPARATOR . bin2hex(random_bytes(16));
try { try {
if (! @file_put_contents($tmpFilename, $code)) { if (! @file_put_contents($tmpFilename, $code)) {