Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use random_bytes() instead of uniqid/md5 in Common::generateUniqId() for improved security #13357

Closed
mattab opened this issue Aug 28, 2018 · 1 comment
Closed

Use random_bytes() instead of uniqid/md5 in Common::generateUniqId() for improved security #13357

mattab opened this issue Aug 28, 2018 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
4.0.0

Comments

@mattab
Copy link
Member

mattab commented Aug 28, 2018

Replace Common::generateUniqId()'s use of md5 & uniqid w/ random_bytes() (there's are polyfills for PHP 5.*, eg, https://github.com/symfony/polyfill). Would prevent attackers from being able to guess what new token auths would be.

Noted in #12208
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Aug 28, 2018
@mattab mattab added this to the 4.0.0 milestone Aug 28, 2018
@mattab mattab mentioned this issue Aug 28, 2018
Merged
1 task
@katebutler katebutler self-assigned this Dec 10, 2019
@katebutler katebutler mentioned this issue Dec 11, 2019
Merged
@sgiehl
Copy link
Member

sgiehl commented Feb 17, 2020

already fixed with #13357

@sgiehl sgiehl closed this as completed Feb 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
4.0.0
Development

No branches or pull requests
3 participants
@mattab @sgiehl @katebutler