8000 minor #50853 [Security] `random_bytes` length should be an int greate… · symfony/symfony@a746442 · GitHub
[go: up one dir, main page]
Skip to content

Commit a746442

Browse files
nicolas-grekasnicolas-grekas
committed
minor #50853 [Security] random_bytes length should be an int greater than 7 (asispts)
This PR was merged into the 5.4 branch. Discussion ---------- [Security] `random_bytes` length should be an int greater than 7 | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | | License | MIT | Doc PR | `random_bytes` can only accept an `int<1, max>` value. - See: https://3v4l.org/tHf9P - See: https://3v4l.org/u57Ol This PR ensures that the value passed to `random_bytes` is an integer greater than 0. Commits ------- 9b80238 random_bytes length should be an int greater than 0
2 parents d3b33d9 + 9b80238 commit a746442

File tree

2 files changed

+29
-1
lines changed

2 files changed

+29
-1
lines changed

src/Symfony/Component/Security/Csrf/Tests/TokenGenerator/UriSafeTokenGeneratorTest.php

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,4 +57,28 @@ public function testGenerateToken()
5757
$this->assertStringNotMatchesFormat('%S/%S', $token, 'is URI safe');
5858
$this->assertStringNotMatchesFormat('%S=%S', $token, 'is URI safe');
5959
}
60+
61+
/**
62+
* @dataProvider validDataProvider
63+
*/
64+
public function testValidLength(int $entropy, int $length)
65+
{
66+
$generator = new UriSafeTokenGenerator($entropy);
67+
$token = $generator->generateToken();
68+
$this->assertSame($length, \strlen($token));
69+
}
70+
71+
public static function validDataProvider(): \Iterator
72+
{
73+
yield [24, 4];
74+
yield 'Float length' => [20, 3];
75+
}
76+
77+
public function testInvalidLength()
78+
{
79+
$this->expectException(\InvalidArgumentException::class);
80+
$this->expectExceptionMessage('Entropy should be greater than 7.');
81+
82+
new UriSafeTokenGenerator(7);
83+
}
6084
}

src/Symfony/Component/Security/Csrf/TokenGenerator/UriSafeTokenGenerator.php

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,10 @@ class UriSafeTokenGenerator implements TokenGeneratorInterface
2727
*/
2828
public function __construct(int $entropy = 256)
2929
{
30+
if ($entropy <= 7) {
31+
throw new \InvalidArgumentException('Entropy should be greater than 7.');
32+
}
33+
3034
$this->entropy = $entropy;
3135
}
3236

@@ -38,7 +42,7 @@ public function generateToken()
3842
// Generate an URI safe base64 encoded string that does not contain "+",
3943
// "/" or "=" which need to be URL encoded and make URLs unnecessarily
4044
// longer.
41-
$bytes = random_bytes($this->entropy / 8);
45+
$bytes = random_bytes(intdiv($this->entropy, 8));
4246

4347
return rtrim(strtr(base64_encode($bytes), '+/', '-_'), '=');
4448
}

0 commit comments

Comments
 (0)
0