[Tickets #7447] Re: Audit for inappropriate use of mt_rand()

[bugs at horde.org]

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/7447
------------------------------------------------------------------------------
  Ticket             | 7447
  Updated By         | Jan Schneider <jan at horde.org>
-Summary            | Audit for innappropriate use of mt_rand
+Summary            | Audit for inappropriate use of mt_rand()
  Queue              | Horde Base
  Version            | Git master
  Type               | Bug
  State              | Assigned
  Priority           | 2. Medium
  Milestone          | 4.0
  Patch              |
  Owners             | Horde Developers, Chuck Hagenbuch
------------------------------------------------------------------------------


Jan Schneider <jan at horde.org> (2011-03-31 23:36) wrote:

The question is, what else to we use (additionally?) as a secret or  
source of randomness? /dev/urandom is not available on all systems.  
Our pre-generated secret_key doesn't change.
In Horde_Support we use:
- php_uname('n') or ip address (not random, only to avoid collisions)
- uniqid() (with the more-entropy parameter a good candidate)
- zend_thread_id()/getmypid() (short)
- microtime() (predictable)

Horde_Oauth and Horde_Token use microtime() resp. time() for Nonces.

This needs to applied to:
Horde_Auth::getSalt(), genRandomPassword() (salt and password generation)
Horde_ActiveSync_State_Base::generatePolicyKey()
Horde_Secret::setKey()
Shout::genDeviceAuth()

And probably to share and object ids and resources too, since they  
could be used to share hidden shares/objects through a secret url:
Horde_Core_Imsp_Utils::synchShares()
Kronolith_Resource::addResource()
Turba_Driver::_makeKey()

I'm unsure about:
Kolab_Storage

Only if being anal for:
Horde_Form_Type_image::getRandomId()
Horde_Util::createTempDir()
Gollem_Api::setSelectlist()