[aur-dev] [PATCH 3/5] remove unneeded make_seed()

Lukas Fleischer archlinux at cryptocrack.de
Sat Jun 25 02:54:21 EDT 2011 

On Wed, Jun 22, 2011 at 09:36:42PM +0200, Florian Pritz wrote:
> http://us.php.net/mt_srand
> > Note: As of PHP 4.2.0, there is no need to seed the random number
> > generator with srand() or mt_srand() as this is now done
> > automatically.
> 
> Signed-off-by: Florian Pritz <bluewind at xinu.at>
> ---
>  web/lib/aur.inc.php |   12 +-----------
>  1 files changed, 1 insertions(+), 11 deletions(-)
> 
> diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
> index 3250133..382578c 100644
> --- a/web/lib/aur.inc.php
> +++ b/web/lib/aur.inc.php
> @@ -81,25 +81,15 @@ function valid_email($addy) {
>  	return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE;
>  }
>  
> -# a new seed value for mt_srand()
> -#
> -function make_seed() {
> -	list($usec, $sec) = explode(' ', microtime());
> -	return (float) $sec + ((float) $usec * 10000);
> -}
> -
>  # generate a (hopefully) unique session id
>  #
>  function new_sid() {
> -	mt_srand(make_seed());
>  	$ts = time();
>  	$pid = getmypid();
>  
> -	$rand_num = mt_rand();
> -	mt_srand(make_seed());
>  	$rand_str = substr(md5(mt_rand()),2, 20);
>  
> -	$id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num;
> +	$id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand();
>  	return strtoupper(md5($id));

The session ID generation seems more of a arbitrary composition of
commands to me anyway. Looking at the "$rand_str" calculation and the
last two lines of code, it's easy to see that the amount of
self-information of a session ID generated by current new_sid() even is
below MD5's digest size of 128 bit.

How about just using something like this:

----
return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true));
----

This is (kind of) clear and results in all session IDs of our session ID
universe being used (assuming that at least 256 different IP addresses
are in use and without taking MD5 vulnerabilities into account, of
course).

>  }
>  
> -- 
> 1.7.5.4

More information about the aur-dev mailing list