mirror of
https://github.com/elyby/oauth2-server.git
synced 2025-01-05 19:43:56 +05:30
Update DefaultAlgorithm.php
Prevent edge-case whereby, if the majority of `base64_encode($bytes)` consists of `/` or `+` characters, the resulting key will be shorter and less unpredictable (due to a smaller keyspace) than anticipated. As a result, the `$len * 2` hack has been removed. Although it is highly probable that `$len * 2` will stop most edge cases from occurring, it does not actually guarantee the end result will be at least 40 characters long.
This commit is contained in:
parent
edaccab04b
commit
7a63f42462
@ -18,10 +18,9 @@ class DefaultAlgorithm implements KeyAlgorithmInterface
|
|||||||
*/
|
*/
|
||||||
public function generate($len = 40)
|
public function generate($len = 40)
|
||||||
{
|
{
|
||||||
// We generate twice as many bytes here because we want to ensure we have
|
$stripped = '';
|
||||||
// enough after we base64 encode it to get the length we need because we
|
do {
|
||||||
// take out the "/", "+", and "=" characters.
|
$bytes = openssl_random_pseudo_bytes($len, $strong);
|
||||||
$bytes = openssl_random_pseudo_bytes($len * 2, $strong);
|
|
||||||
|
|
||||||
// We want to stop execution if the key fails because, well, that is bad.
|
// We want to stop execution if the key fails because, well, that is bad.
|
||||||
if ($bytes === false || $strong === false) {
|
if ($bytes === false || $strong === false) {
|
||||||
@ -29,7 +28,8 @@ class DefaultAlgorithm implements KeyAlgorithmInterface
|
|||||||
throw new \Exception('Error Generating Key');
|
throw new \Exception('Error Generating Key');
|
||||||
// @codeCoverageIgnoreEnd
|
// @codeCoverageIgnoreEnd
|
||||||
}
|
}
|
||||||
|
$stripped .= str_replace(['/', '+', '='], '', base64_encode($bytes));
|
||||||
return substr(str_replace(['/', '+', '='], '', base64_encode($bytes)), 0, $len);
|
} while (strlen($stripped) < $len);
|
||||||
|
return substr($stripped, 0, $len);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user