Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9612

Split gen_rand_string() into gen_rand_string() and gen_rand_string_friendly()

    Details

    • Type: Improvement
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.7-PL1
    • Fix Version/s: 3.0.8-RC1
    • Component/s: None
    • Labels:
      None

      Description

      4bb3266cc62003d5bd6fafda03a5582ea06250e9 changed gen_rand_string() to also map O to Y to not confuse O and 0 in generated passwords. This reduces entropy slightly in all other places where gen_rand_string() is used.

      function gen_rand_string($num_chars = 8)
      {
      	$rand_str = unique_id();
      	$rand_str = str_replace(array('0', 'O'), array('Z', 'Y'), strtoupper(base_convert($rand_str, 16, 34)));
       
      	return substr($rand_str, 0, $num_chars);
      }
      

      Another function gen_rand_passwd() should be added to increase entropy of all gen_rand_string() output.

        Issue Links

          Activity

          Hide
          nickvergessen Joas Schilling added a comment -

          you broke the length check!

          SQL ERROR [ mysqli ]
           
          Data too long for column 'user_last_confirm_key' at row 1 [1406]
           
          SQL
           
          UPDATE phpbb_users SET user_last_confirm_key = '2RP3NG09Q9WC4' WHERE user_id = 2

          	return strtoupper(base_convert(unique_id(), 16, 36));

          should be

          	return substr(strtoupper(base_convert(unique_id(), 16, 36)), 0, $num_chars);

          in line 204.

          Show
          nickvergessen Joas Schilling added a comment - you broke the length check! SQL ERROR [ mysqli ]   Data too long for column 'user_last_confirm_key' at row 1 [1406]   SQL   UPDATE phpbb_users SET user_last_confirm_key = '2RP3NG09Q9WC4' WHERE user_id = 2 return strtoupper(base_convert(unique_id(), 16, 36)); should be return substr(strtoupper(base_convert(unique_id(), 16, 36)), 0, $num_chars); in line 204.
          Hide
          bantu Andreas Fischer added a comment -

          Oh yeah, how did that happen?

          Show
          bantu Andreas Fischer added a comment - Oh yeah, how did that happen?

            People

            • Assignee:
              bantu Andreas Fischer
              Reporter:
              bantu Andreas Fischer
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development