Commit 6731656f authored by nlohar's avatar nlohar Committed by Fabiano Sant'Ana
Browse files

Issue #3103145 by omkar06, nileshlohar, wundo, Heine: Weak algorithms usage should be avoided

parent a1f552f0
...@@ -396,7 +396,7 @@ function _captcha_get_posted_captcha_info(array $element, FormStateInterface $fo ...@@ -396,7 +396,7 @@ function _captcha_get_posted_captcha_info(array $element, FormStateInterface $fo
(int) $input['captcha_sid'] (int) $input['captcha_sid']
: NULL; : NULL;
$posted_captcha_token = isset($input['captcha_token']) ? $posted_captcha_token = isset($input['captcha_token']) ?
preg_replace("/[^a-zA-Z0-9]/", "", (string) $input['captcha_token']) preg_replace("/[^a-zA-Z0-9-_]/", "", (string) $input['captcha_token'])
: NULL; : NULL;
if ($posted_form_id == $this_form_id) { if ($posted_form_id == $this_form_id) {
......
...@@ -12,6 +12,7 @@ use Drupal\Core\Database\Database; ...@@ -12,6 +12,7 @@ use Drupal\Core\Database\Database;
use Drupal\Core\Url; use Drupal\Core\Url;
use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpFoundation\JsonResponse;
use Drupal\Component\Utility\Crypt;
/** /**
* Description of CaptchaImageRefresh. * Description of CaptchaImageRefresh.
...@@ -56,7 +57,7 @@ class CaptchaImageRefresh extends ControllerBase { ...@@ -56,7 +57,7 @@ class CaptchaImageRefresh extends ControllerBase {
module_load_include('inc', 'captcha', 'captcha'); module_load_include('inc', 'captcha', 'captcha');
$config = $this->config('image_captcha.settings'); $config = $this->config('image_captcha.settings');
$captcha_sid = _captcha_generate_captcha_session($form_id); $captcha_sid = _captcha_generate_captcha_session($form_id);
$captcha_token = md5(mt_rand()); $captcha_token = Crypt::randomBytesBase64();
$allowed_chars = _image_captcha_utf8_split($config->get('image_captcha_image_allowed_chars', IMAGE_CAPTCHA_ALLOWED_CHARACTERS)); $allowed_chars = _image_captcha_utf8_split($config->get('image_captcha_image_allowed_chars', IMAGE_CAPTCHA_ALLOWED_CHARACTERS));
$code_length = (int) $config->get('image_captcha_code_length'); $code_length = (int) $config->get('image_captcha_code_length');
$code = ''; $code = '';
......
...@@ -7,6 +7,7 @@ use Drupal\Core\Form\FormStateInterface; ...@@ -7,6 +7,7 @@ use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Plugin\ContainerFactoryPluginInterface; use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
use Drupal\Core\Render\Element\FormElement; use Drupal\Core\Render\Element\FormElement;
use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\DependencyInjection\ContainerInterface;
use Drupal\Component\Utility\Crypt;
/** /**
* Defines the CAPTCHA form element with default properties. * Defines the CAPTCHA form element with default properties.
...@@ -114,7 +115,7 @@ class Captcha extends FormElement implements ContainerFactoryPluginInterface { ...@@ -114,7 +115,7 @@ class Captcha extends FormElement implements ContainerFactoryPluginInterface {
// Generate a new CAPTCHA session if we could // Generate a new CAPTCHA session if we could
// not reuse one from a posted form. // not reuse one from a posted form.
$captcha_sid = _captcha_generate_captcha_session($this_form_id, CAPTCHA_STATUS_UNSOLVED); $captcha_sid = _captcha_generate_captcha_session($this_form_id, CAPTCHA_STATUS_UNSOLVED);
$captcha_token = md5(mt_rand()); $captcha_token = Crypt::randomBytesBase64();
\Drupal::database()->update('captcha_sessions') \Drupal::database()->update('captcha_sessions')
->fields(['token' => $captcha_token]) ->fields(['token' => $captcha_token])
->condition('csid', $captcha_sid) ->condition('csid', $captcha_sid)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment