Fixes #14671: use `random_int()` instead of `mt_rand()` to generate cryptographically secure pseudo-random integers

7 years ago · 003d83c6e0
5 changed files with 12 additions and 11 deletions
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@ -25,6 +25,7 @@ Yii Framework 2 Change Log
 - Chg #12089: Behavior of `yii\grid\DataColumn::$filterInputOptions` changed when default value is overwritten (bvanleeuwen, cebe)
 - Chg #13885: Removed APC support in ApcCache. APCu works as before (samdark) 
 - Chg #14178: Removed HHVM-specific code (samdark)
+- Enh #14671: use `random_int()` instead of `mt_rand()` to generate cryptographically secure pseudo-random integers (yyxx9988)

 2.0.13 under development
 ------------------------
--- a/framework/captcha/GdDriver.php
+++ b/framework/captcha/GdDriver.php
@ -64,8 +64,8 @@ class GdDriver extends Driver
        $x = 10;
        $y = round($this->height * 27 / 40);
        for ($i = 0; $i < $length; ++$i) {
-            $fontSize = (int) (mt_rand(26, 32) * $scale * 0.8);
-            $angle = mt_rand(-10, 10);
+            $fontSize = (int) (random_int(26, 32) * $scale * 0.8);
+            $angle = random_int(-10, 10);
            $letter = $code[$i];
            $box = imagettftext($image, $fontSize, $angle, $x, $y, $foreColor, $this->fontFile, $letter);
            $x = $box[2] + $this->offset;
--- a/framework/captcha/ImagickDriver.php
+++ b/framework/captcha/ImagickDriver.php
@ -54,9 +54,9 @@ class ImagickDriver extends Driver
        for ($i = 0; $i < $length; ++$i) {
            $draw = new \ImagickDraw();
            $draw->setFont($this->fontFile);
-            $draw->setFontSize((int) (mt_rand(26, 32) * $scale * 0.8));
+            $draw->setFontSize((int) (random_int(26, 32) * $scale * 0.8));
            $draw->setFillColor($foreColor);
-            $image->annotateImage($draw, $x, $y, mt_rand(-10, 10), $code[$i]);
+            $image->annotateImage($draw, $x, $y, random_int(-10, 10), $code[$i]);
            $fontMetrics = $image->queryFontMetrics($draw, $code[$i]);
            $x += (int) $fontMetrics['textWidth'] + $this->offset;
        }
--- a/framework/captcha/VerifyCodeGeneratorTrait.php
+++ b/framework/captcha/VerifyCodeGeneratorTrait.php
@ -42,16 +42,16 @@ trait VerifyCodeGeneratorTrait
        if ($this->maxLength > 20) {
            $this->maxLength = 20;
        }
-        $length = mt_rand($this->minLength, $this->maxLength);
+        $length = random_int($this->minLength, $this->maxLength);

        $letters = 'bcdfghjklmnpqrstvwxyz';
        $vowels = 'aeiou';
        $code = '';
        for ($i = 0; $i < $length; ++$i) {
-            if ($i % 2 && mt_rand(0, 10) > 2 || !($i % 2) && mt_rand(0, 10) > 9) {
-                $code .= $vowels[mt_rand(0, 4)];
+            if ($i % 2 && random_int(0, 10) > 2 || !($i % 2) && random_int(0, 10) > 9) {
+                $code .= $vowels[random_int(0, 4)];
            } else {
-                $code .= $letters[mt_rand(0, 20)];
+                $code .= $letters[random_int(0, 20)];
            }
        }

--- a/tests/framework/web/UploadedFileTest.php
+++ b/tests/framework/web/UploadedFileTest.php
@ -27,10 +27,10 @@ class UploadedFileTest extends TestCase
    private function generateFakeFileData()
    {
        return [
-            'name' => md5(mt_rand()),
-            'tmp_name' => md5(mt_rand()),
+            'name' => md5(random_int()),
+            'tmp_name' => md5(random_int()),
            'type' => 'image/jpeg',
-            'size' => mt_rand(1000, 10000),
+            'size' => random_int(1000, 10000),
            'error' => 0,
        ];
    }