Commit 6731656f authored by nlohar's avatar nlohar Committed by Fabiano Sant'Ana
Browse files

Issue #3103145 by omkar06, nileshlohar, wundo, Heine: Weak algorithms usage should be avoided

parent a1f552f0
......@@ -396,7 +396,7 @@ function _captcha_get_posted_captcha_info(array $element, FormStateInterface $fo
(int) $input['captcha_sid']
: NULL;
$posted_captcha_token = isset($input['captcha_token']) ?
preg_replace("/[^a-zA-Z0-9]/", "", (string) $input['captcha_token'])
preg_replace("/[^a-zA-Z0-9-_]/", "", (string) $input['captcha_token'])
: NULL;
if ($posted_form_id == $this_form_id) {
......
......@@ -12,6 +12,7 @@ use Drupal\Core\Database\Database;
use Drupal\Core\Url;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\JsonResponse;
use Drupal\Component\Utility\Crypt;
/**
* Description of CaptchaImageRefresh.
......@@ -56,7 +57,7 @@ class CaptchaImageRefresh extends ControllerBase {
module_load_include('inc', 'captcha', 'captcha');
$config = $this->config('image_captcha.settings');
$captcha_sid = _captcha_generate_captcha_session($form_id);
$captcha_token = md5(mt_rand());
$captcha_token = Crypt::randomBytesBase64();
$allowed_chars = _image_captcha_utf8_split($config->get('image_captcha_image_allowed_chars', IMAGE_CAPTCHA_ALLOWED_CHARACTERS));
$code_length = (int) $config->get('image_captcha_code_length');
$code = '';
......
......@@ -7,6 +7,7 @@ use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
use Drupal\Core\Render\Element\FormElement;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Drupal\Component\Utility\Crypt;
/**
* Defines the CAPTCHA form element with default properties.
......@@ -114,7 +115,7 @@ class Captcha extends FormElement implements ContainerFactoryPluginInterface {
// Generate a new CAPTCHA session if we could
// not reuse one from a posted form.
$captcha_sid = _captcha_generate_captcha_session($this_form_id, CAPTCHA_STATUS_UNSOLVED);
$captcha_token = md5(mt_rand());
$captcha_token = Crypt::randomBytesBase64();
\Drupal::database()->update('captcha_sessions')
->fields(['token' => $captcha_token])
->condition('csid', $captcha_sid)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment