Merge pull request #148 from bestit/feature/OXAP-343-use-random-bytes

Feature/oxap 343 use random bytes
bestit · Feb 8, 2021 · 829a8db · BenjaminJoerger · Feb 9, 2021 · 829a8db
2 parents 653111e + c7d11de
commit 829a8db
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 66 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](https://semver.org/spec2.0.0.html).
+## [3.6.7] - 2020-02-05
+### Fixed
+- Use random_bytes
+
 ## [3.6.6] - 2020-02-02
 ### Fixed
 - Adds a secret key to the controller

diff --git a/application/controllers/admin/bestitamazonpay4oxid_init.php b/application/controllers/admin/bestitamazonpay4oxid_init.php
@@ -20,6 +20,7 @@
  * @version   GIT: $Id$
  * @link      http://www.bestit-online.de
  */
+require_once dirname(__FILE__).'/../../../vendor/paragonie/random_compat/lib/random.php';
 
 /**
  * Class bestitAmazonPay4Oxid_init
@@ -354,44 +355,17 @@ public static function onDeactivate()
     }
 
     /**
-     * @see https://gist.github.com/tylerhall/521810
-     * Generates a strong password of N length containing at least one lower case letter,
-     * one uppercase letter and one digit. The remaining characters
-     * in the password are chosen at random from those four sets.
-     *
-     * The available characters in each set are user friendly - there are no ambiguous
-     * characters such as i, l, 1, o, 0, etc. This makes it much easier for users to manually
-     * type or speak their passwords.
-     *
-     * @param int $length
+     * Generates a strong password using random_bytes
      *
      * @return string
      */
-    protected static function _generatePassword($length = 15)
+    protected static function _generatePassword()
     {
-        $sets = array();
-        $sets[] = 'abcdefghjkmnpqrstuvwxyz';
-        $sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
-        $sets[] = '23456789';
-
-        $pool = '';
-        $password = '';
-
-        foreach ($sets as $set) {
-            $password .= $set[array_rand(str_split($set))];
-            $pool .= $set;
-        }
-
-        $pool = str_split($pool);
-        for ($i = 0; $i < $length - count($sets); ++$i) {
-            $password .= $pool[array_rand($pool)];
-        }
-        $password = str_shuffle($password);
+        $bytes = random_bytes(32);
 
-        return $password;
+        return bin2hex($bytes);
     }
 
-
     /**
      * Returns the current installed version.
      *

diff --git a/composer.json b/composer.json
@@ -4,7 +4,7 @@
   "type": "oxideshop-module",
   "keywords": ["oxid", "modules", "eShop"],
   "homepage": "https://www.bestit-online.de",
-  "version": "3.6.6",
+  "version": "3.6.7",
   "license": [
     "GPL-3.0-only",
     "proprietary"
@@ -24,7 +24,8 @@
     "ext-curl": "*",
     "ext-openssl": "*",
     "amzn/amazon-pay-sdk-php": "~3.4.1",
-    "monolog/monolog": "^1.23"
+    "monolog/monolog": "^1.23",
+    "paragonie/random_compat": "<9.99"
   },
   "autoload": {
     "exclude-from-classmap": ["/vendor/phpunit/", "/vendor/sebastian/"]

diff --git a/composer.lock b/composer.lock
diff --git a/ext/bestitamazonpay4oxid_module_config.php b/ext/bestitamazonpay4oxid_module_config.php
@@ -1,4 +1,5 @@
 <?php
+require_once dirname(__FILE__).'/../vendor/paragonie/random_compat/lib/random.php';
 
 /**
  * Extension for OXID module_config controller
@@ -77,40 +78,14 @@ public function saveConfVars()
     }
 
     /**
-     * @see https://gist.github.com/tylerhall/521810
-     * Generates a strong password of N length containing at least one lower case letter,
-     * one uppercase letter and one digit. The remaining characters
-     * in the password are chosen at random from those four sets.
-     *
-     * The available characters in each set are user friendly - there are no ambiguous
-     * characters such as i, l, 1, o, 0, etc. This makes it much easier for users to manually
-     * type or speak their passwords.
-     *
-     * @param int $length
+     * Generates a strong password using random_bytes
      *
      * @return string
      */
-    protected static function _generatePassword($length = 15)
+    protected static function _generatePassword()
     {
-        $sets = array();
-        $sets[] = 'abcdefghjkmnpqrstuvwxyz';
-        $sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
-        $sets[] = '23456789';
-
-        $pool = '';
-        $password = '';
-
-        foreach ($sets as $set) {
-            $password .= $set[array_rand(str_split($set))];
-            $pool .= $set;
-        }
-
-        $pool = str_split($pool);
-        for ($i = 0; $i < $length - count($sets); ++$i) {
-            $password .= $pool[array_rand($pool)];
-        }
-        $password = str_shuffle($password);
+        $bytes = random_bytes(32);
 
-        return $password;
+        return bin2hex($bytes);
     }
 }
diff --git a/metadata.php b/metadata.php
@@ -40,7 +40,7 @@
 		<b style="color: red">Wenn Sie das Modul von einer vorhergehenden Version updaten muss das Module deaktivert und erneut aktiviert werden</b>'
     ),
     'thumbnail' => 'bestitamazonpay4oxid_logo.png',
-    'version' => '3.6.6',
+    'version' => '3.6.7',
     'author' => 'best it GmbH & Co. KG',
     'url' => 'http://www.bestit-online.de',
     'email' => 'support@bestit-online.de',