Project

General

Profile

Actions
Copy link

Bug #22369

closed

Mitigate PHP's RNG vulnerability

Added by Marcus Krause over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Helmut Hummel
Category:
-
Target version:
-
Start date:
2010-04-01
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.1
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

This is a precaution to PHP's weakness in uniqid() function. The patch will use TYPO3's random byte generator to create session IDs. Therefore, the fallback part of the generator (OS: WIN) has been strengthened.
In addition, this change will mitigate the chance for undetected SID collisions.

OTRS-X-Reference: 2010033110000041

patch should be applied to TYPO3 4-1 and newer
(issue imported from #M13989)

Files

Download all files
SID-Distribution_3K_fallback.png (91.2 KB) SID-Distribution_3K_fallback.png Administrator Admin, 2010-04-02 01:25
SID-DIstribution_3K_mcrypt.png (88.7 KB) SID-DIstribution_3K_mcrypt.png Administrator Admin, 2010-04-02 01:57
13989_trunk.diff (1.69 KB) 13989_trunk.diff Administrator Admin, 2010-04-02 02:19
13989_trunk_v1.diff (1.9 KB) 13989_trunk_v1.diff Administrator Admin, 2010-04-02 11:58
13989_4-3_v1.diff (1.9 KB) 13989_4-3_v1.diff Administrator Admin, 2010-04-02 12:07
13989_4-2_v1.diff (2.01 KB) 13989_4-2_v1.diff Administrator Admin, 2010-04-02 12:18
13989_4-1_v1.diff (2.44 KB) 13989_4-1_v1.diff Administrator Admin, 2010-04-02 12:37
13989_4-2_v2.diff (2.89 KB) 13989_4-2_v2.diff Administrator Admin, 2010-07-24 20:11
13989_4-3_trunk.v2.diff (2.78 KB) 13989_4-3_trunk.v2.diff Administrator Admin, 2010-07-24 20:11
13989_4-1_v2.diff (3.23 KB) 13989_4-1_v2.diff Administrator Admin, 2010-07-24 20:20
13989_4-1_v3.diff (2.59 KB) 13989_4-1_v3.diff Administrator Admin, 2010-07-25 19:56
13989_4-2_v3.diff (2.29 KB) 13989_4-2_v3.diff Administrator Admin, 2010-07-25 19:56
13989_4-3_trunk_v3.diff (2.29 KB) 13989_4-3_trunk_v3.diff Administrator Admin, 2010-07-25 19:57
13989_4-1_v3-usage.diff (1.31 KB) 13989_4-1_v3-usage.diff Administrator Admin, 2010-07-26 18:02
13989_4-2_v3-usage.diff (1.31 KB) 13989_4-2_v3-usage.diff Administrator Admin, 2010-07-26 18:02
13989_4-3_trunk_v3-usage.diff (946 Bytes) 13989_4-3_trunk_v3-usage.diff Administrator Admin, 2010-07-26 18:03
13989_4-1_v4.diff (2.33 KB) 13989_4-1_v4.diff Administrator Admin, 2010-07-26 23:24
13989_4-2_v4.diff (2.26 KB) 13989_4-2_v4.diff Administrator Admin, 2010-07-26 23:24
13989_4-3_trunk_v4a.diff (2.26 KB) 13989_4-3_trunk_v4a.diff Administrator Admin, 2010-07-26 23:24

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Feature #20577: Create better session identifiers and add basic validationClosedChristian Kuhn2009-06-05

Actions
Related to TYPO3 Core - Bug #23355: Speed up / restructure of random byte generator to address e.g. WIN OS specificsClosed2010-08-05

Actions
Related to TYPO3 Core - Bug #24410: Parameter for function "mcrypt_create_iv" not correctClosed2010-12-24

Actions
Actions
Copy link
 #1

Updated by Francois Suter over 14 years ago

Hey Markus,

I'm afraid I can't see the difference between the two pictures, so it's quite difficult to assess the improvement. Could you maybe clarify this a bit?

Actions
Copy link
 #2

Updated by Oliver Hader over 14 years ago

Committed to SVN
  • TYPO3_4-1 (rev. 8371)
  • TYPO3_4-2 (rev. 8372)
  • TYPO3_4-3 (rev. 8373)
  • TYPO3_4-4 (rev. 8374)
  • Trunk (rev. 8375)
Actions
Copy link
 #3

Updated by Ingo Renner over 14 years ago

released in
4.1.15
4.2.14
4.3.5
4.4.2

Actions
Copy link

Also available in: Atom PDF