Refactor getToken() [#2786353]

The getToken() function uses the PHP shuffle() function.

The PHP documention on shuffle() specifies the following:
"It uses a pseudo random number generator that is not suitable for cryptographic purposes."
This is because shuffle() is implemented using the C rand() function.

It would be safer to generate the tokens using a native Drupal function like drupal_random_bytes https://api.drupal.org/api/drupal/includes%21bootstrap.inc/function/drup...

This should be fixed for 6.x 7.x and 8.x

Comments

Comment #1

18 August 2016 at 16:24

Sam Hermans created an issue. See original summary.

Comment #2

sam hermans commented 18 August 2016 at 16:24

Issue summary:

View changes

Comment #3

sam hermans commented 19 May 2020 at 19:40

Status:

Active

» Fixed

Comment #4

2 June 2020 at 19:44

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Refactor getToken()

Comments

Comment #1

Comment #2

Comment #3

Comment #4

News items

Our community

Documentation

Drupal code base

Governance of community