Issue #3103145 by omkar06, nileshlohar, wundo, Heine: Weak algorithms usage should be avoided

6731656f · nlohar · Fabiano Sant'Ana · a1f552f0 · 6731656f · 6731656f
Commit 6731656f authored Feb 20, 2020 by nlohar Committed by Fabiano Sant'Ana Feb 20, 2020
--- a/captcha.module
+++ b/captcha.module
@@ -396,7 +396,7 @@ function _captcha_get_posted_captcha_info(array $element, FormStateInterface $fo
      (int) $input['captcha_sid']
      : NULL;
    $posted_captcha_token = isset($input['captcha_token']) ?
-      preg_replace("/[^a-zA-Z0-9]/", "", (string) $input['captcha_token'])
+      preg_replace("/[^a-zA-Z0-9-_]/", "", (string) $input['captcha_token'])
      : NULL;

    if ($posted_form_id == $this_form_id) {

--- a/image_captcha/src/Controller/CaptchaImageRefresh.php
+++ b/image_captcha/src/Controller/CaptchaImageRefresh.php
@@ -12,6 +12,7 @@ use Drupal\Core\Database\Database;
 use Drupal\Core\Url;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\JsonResponse;
+use Drupal\Component\Utility\Crypt;

 /**
 * Description of CaptchaImageRefresh.
@@ -56,7 +57,7 @@ class CaptchaImageRefresh extends ControllerBase {
      module_load_include('inc', 'captcha', 'captcha');
      $config = $this->config('image_captcha.settings');
      $captcha_sid = _captcha_generate_captcha_session($form_id);
-      $captcha_token = md5(mt_rand());
+      $captcha_token = Crypt::randomBytesBase64();
      $allowed_chars = _image_captcha_utf8_split($config->get('image_captcha_image_allowed_chars', IMAGE_CAPTCHA_ALLOWED_CHARACTERS));
      $code_length = (int) $config->get('image_captcha_code_length');
      $code = '';

--- a/src/Element/Captcha.php
+++ b/src/Element/Captcha.php
@@ -7,6 +7,7 @@ use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
 use Drupal\Core\Render\Element\FormElement;
 use Symfony\Component\DependencyInjection\ContainerInterface;
+use Drupal\Component\Utility\Crypt;

 /**
 * Defines the CAPTCHA form element with default properties.
@@ -114,7 +115,7 @@ class Captcha extends FormElement implements ContainerFactoryPluginInterface {
      // Generate a new CAPTCHA session if we could
      // not reuse one from a posted form.
      $captcha_sid = _captcha_generate_captcha_session($this_form_id, CAPTCHA_STATUS_UNSOLVED);
-      $captcha_token = md5(mt_rand());
+      $captcha_token = Crypt::randomBytesBase64();
      \Drupal::database()->update('captcha_sessions')
        ->fields(['token' => $captcha_token])
        ->condition('csid', $captcha_sid)