Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
\Drupal\encrypt\Entity\EncryptionProfile::validate
uses \Drupal\Component\Utility\Random
to generate a random string, which is not considered to be cryptographic secure.
Proposed resolution
Even it technically doesn't matter that much, IMHO we should go with \Drupal\Component\Utility\Crypt::randomBytesBase64
so that scanner don't trigger it.
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#3 | use_the_cryptographic-2734501-3.patch | 1.39 KB | scott_euser |
|
Comments
Comment #2
dawehnerIts more of a task.
Comment #3
scott_euser CreditAttribution: scott_euser at Fat Beehive commentedThis seems like the attached is all there is to it - correct me if I'm wrong, but this seems to be only used when validating the profile on create and edit but doesn't actually change how data is encrypted when the profile is used and is therefore fairly risk-free to implement
Comment #4
dawehnerThis is nice!
Comment #5
rlhawkLooks good, thanks.
Comment #7
rlhawk