Problem/Motivation

\Drupal\encrypt\Entity\EncryptionProfile::validate uses \Drupal\Component\Utility\Random to generate a random string, which is not considered to be cryptographic secure.

Proposed resolution

Even it technically doesn't matter that much, IMHO we should go with \Drupal\Component\Utility\Crypt::randomBytesBase64 so that scanner don't trigger it.

Remaining tasks

User interface changes

API changes

Data model changes

CommentFileSizeAuthor
#3 use_the_cryptographic-2734501-3.patch1.39 KBscott_euser
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dawehner created an issue. See original summary.

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner at Chapter Three for Acquia commented
Category: Bug report » Task

Its more of a task.

scott_euser’s picture

scott_euser CreditAttribution: scott_euser at Fat Beehive commented
Status: Active » Needs review
FileSize
use_the_cryptographic-2734501-3.patch1.39 KB

This seems like the attached is all there is to it - correct me if I'm wrong, but this seems to be only used when validating the profile on create and edit but doesn't actually change how data is encrypted when the profile is used and is therefore fairly risk-free to implement

dawehner’s picture

dawehner
Primary language German
CreditAttribution: dawehner at Chapter Three commented

This is nice!

rlhawk’s picture

rlhawk
Primary language English
Location Seattle, Washington, United States
CreditAttribution: rlhawk commented
Status: Needs review » Reviewed & tested by the community

Looks good, thanks.

  • rlhawk committed e4b0715 on 8.x-3.x authored by scott_euser 
    Issue #2734501 by scott_euser: Use the cryptographic secure random...
rlhawk’s picture

rlhawk
Primary language English
Location Seattle, Washington, United States
CreditAttribution: rlhawk commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.