Re: [aur-dev] [PATCH 3/5] remove unneeded make_seed()

2011-06-25 Thread Lukas Fleischer
On Wed, Jun 22, 2011 at 09:36:42PM +0200, Florian Pritz wrote:
 http://us.php.net/mt_srand
  Note: As of PHP 4.2.0, there is no need to seed the random number
  generator with srand() or mt_srand() as this is now done
  automatically.
 
 Signed-off-by: Florian Pritz bluew...@xinu.at
 ---
  web/lib/aur.inc.php |   12 +---
  1 files changed, 1 insertions(+), 11 deletions(-)
 
 diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
 index 3250133..382578c 100644
 --- a/web/lib/aur.inc.php
 +++ b/web/lib/aur.inc.php
 @@ -81,25 +81,15 @@ function valid_email($addy) {
   return ( ! 
 preg_match(/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix,
  $addy)) ? FALSE : TRUE;
  }
  
 -# a new seed value for mt_srand()
 -#
 -function make_seed() {
 - list($usec, $sec) = explode(' ', microtime());
 - return (float) $sec + ((float) $usec * 1);
 -}
 -
  # generate a (hopefully) unique session id
  #
  function new_sid() {
 - mt_srand(make_seed());
   $ts = time();
   $pid = getmypid();
  
 - $rand_num = mt_rand();
 - mt_srand(make_seed());
   $rand_str = substr(md5(mt_rand()),2, 20);
  
 - $id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num;
 + $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand();
   return strtoupper(md5($id));

The session ID generation seems more of a arbitrary composition of
commands to me anyway. Looking at the $rand_str calculation and the
last two lines of code, it's easy to see that the amount of
self-information of a session ID generated by current new_sid() even is
below MD5's digest size of 128 bit.

How about just using something like this:


return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true));


This is (kind of) clear and results in all session IDs of our session ID
universe being used (assuming that at least 256 different IP addresses
are in use and without taking MD5 vulnerabilities into account, of
course).

  }
  
 -- 
 1.7.5.4


[aur-dev] [PATCH 3/5] remove unneeded make_seed()

2011-06-22 Thread Florian Pritz
http://us.php.net/mt_srand
 Note: As of PHP 4.2.0, there is no need to seed the random number
 generator with srand() or mt_srand() as this is now done
 automatically.

Signed-off-by: Florian Pritz bluew...@xinu.at
---
 web/lib/aur.inc.php |   12 +---
 1 files changed, 1 insertions(+), 11 deletions(-)

diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 3250133..382578c 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -81,25 +81,15 @@ function valid_email($addy) {
return ( ! 
preg_match(/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix,
 $addy)) ? FALSE : TRUE;
 }
 
-# a new seed value for mt_srand()
-#
-function make_seed() {
-   list($usec, $sec) = explode(' ', microtime());
-   return (float) $sec + ((float) $usec * 1);
-}
-
 # generate a (hopefully) unique session id
 #
 function new_sid() {
-   mt_srand(make_seed());
$ts = time();
$pid = getmypid();
 
-   $rand_num = mt_rand();
-   mt_srand(make_seed());
$rand_str = substr(md5(mt_rand()),2, 20);
 
-   $id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num;
+   $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand();
return strtoupper(md5($id));
 }
 
-- 
1.7.5.4