Skip to content

fix(security) Replaced cryptographically insecure PHP rand() function #2354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 16, 2023
Merged

fix(security) Replaced cryptographically insecure PHP rand() function #2354

merged 1 commit into from
Jan 16, 2023

Conversation

NicolasToussaint
Copy link
Member

@NicolasToussaint NicolasToussaint commented Dec 13, 2022
edited by gitpod-io bot
Loading

Replaced cryptographically insecure PHP rand() function
with built-in for PHP random_int() with secure pseudo-random number generator

Description

This fixes weak methods of generating pseudo-random values, as detected by a Checkmarx scan of Fossology

Changes

Fixes 5 randomness generation in php scripts

@NicolasToussaint
fix(security) Replaced cryptographically insecure PHP rand() function
bd2fb8f 
with built-in for PHP random_int() with secure pseudo-random number generator

Signed-off-by: Toussaint Nicolas <[email protected]>
@shaheemazmalmmd
Copy link
Member

@NicolasToussaint : While testing this branch for an existing instance. I'm getting the below error please look into it.

[Tue Jan 03 11:08:04.210076 2023] [php:notice] [pid 25741] [client 10.0.2.2:58576] PHP Fatal error:  Uncaught Error: Fossology\\Lib\\Dao\\UserDao::getUserAndDefaultGroupByUserName(): Argument #1 ($userName) cannot be passed by reference in /usr/local/share/fossology/www/ui/core-auth.php:156\nStack trace:\n#0 /usr/local/share/fossology/www/ui/core-auth.php(137): core_auth->updateSession()\n#1 /usr/local/share/fossology/lib/php/Plugin/FO_Plugin.php(466): core_auth->PostInitialize()\n#2 /usr/local/share/fossology/lib/php/common-plugin.php(219): FO_Plugin->preInstall()\n#3 /usr/local/share/fossology/www/ui/index.php(46): plugin_preinstall()\n#4 {main}\n  thrown in /usr/local/share/fossology/www/ui/core-auth.php on line 156

GMishx
GMishx approved these changes Jan 16, 2023
View reviewed changes
Copy link
Member

@GMishx GMishx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes looks good. Tested, working as expected.

@GMishx GMishx merged commit 2a9ff62 into fossology:master Jan 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GMishx GMishx GMishx approved these changes

Assignees

No one assigned

Labels

ready

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NicolasToussaint @shaheemazmalmmd @GMishx