From cf47a71db7ffa997478d461330850f71f565f73a Mon Sep 17 00:00:00 2001
From: Qiang Xue <qiang.xue@gmail.com>
Date: Sun, 2 Jun 2013 22:47:02 -0400
Subject: [PATCH] Fixes issue #478: Improved the generation of secret key

---
 framework/yii/helpers/base/SecurityHelper.php | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/framework/yii/helpers/base/SecurityHelper.php b/framework/yii/helpers/base/SecurityHelper.php
index 3f69fee..f646a24 100644
--- a/framework/yii/helpers/base/SecurityHelper.php
+++ b/framework/yii/helpers/base/SecurityHelper.php
@@ -131,15 +131,30 @@ class SecurityHelper
 			$keys = is_file($keyFile) ? require($keyFile) : array();
 		}
 		if (!isset($keys[$name])) {
-			// generate a 32-char random key
-			$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
-			$keys[$name] = substr(str_shuffle(str_repeat($chars, 5)), 0, $length);
+			$keys[$name] = static::generateRandomKey($length);
 			file_put_contents($keyFile, "<?php\nreturn " . var_export($keys, true) . ";\n");
 		}
 		return $keys[$name];
 	}
 
 	/**
+	 * Generates a random key.
+	 * @param integer $length the length of the key that should be generated
+	 * @return string the generated random key
+	 */
+	public static function generateRandomKey($length = 32)
+	{
+		if (function_exists('openssl_random_pseudo_bytes')) {
+			$key = base64_encode(openssl_random_pseudo_bytes($length, $strong));
+			if ($strong) {
+				return substr($key, 0, $length);
+			}
+		}
+		$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+		return substr(str_shuffle(str_repeat($chars, 5)), 0, $length);
+	}
+
+	/**
 	 * Opens the mcrypt module.
 	 * @return resource the mcrypt module handle.
 	 * @throws InvalidConfigException if mcrypt extension is not installed