Hi,

On servers with "open_basedir restrictions", the function file_exists() throws a warning, instead of returning false, as it should do, IMHO. The problem is that users on these servers are also most likely not able to control the settings of the server, and as such, can't prevent these warnings themselves. It's really bad practice to suppress warnings with the @-operator, but as far as i know there's no proper way to circumvent these. For one, is_readable() throws the same warning.

Full error message:

Warning: file_exists() [function.file-exists]: open_basedir restriction in
effect. File(/dev/urandom) is not within the allowed path(s): (/usr/share/php:/f
oo/:/usr/share/pear:/usr/sbin:/usr/bin:/bin:/tmp:/etc/phpmyadmin:/usr/lib/php4:/
usr/lib/php5:/opt/ioncube/lib) in /foo/public_html/vendor/ircmaxell/random-
lib/lib/RandomLib/Source/URandom.php on line 57

Warning: Cannot modify header information - headers already sent by (output
started at /foo/public_html/vendor/ircmaxell/random-
lib/lib/RandomLib/Source/URandom.php:57) in
/foo/public_html/app/src/Bolt/Users.php on line 285 Redirecting to /beheer/.

I am currently running the following code below

$factory = new RandomLib\Factory;
$generator = $factory->getMediumStrengthGenerator();
$randomString = $generator->generateString(128);

I am getting an unitialized offset error on Line 268 https://github.com/ircmaxell/RandomLib/blob/master/lib/RandomLib/Generator.php#L268

It's because line Line 266 is returning 113 bytes sometimes 117 bytes or sometimes 123 bytes and a few times it doesn't error at all and the code works fine. https://github.com/ircmaxell/RandomLib/blob/master/lib/RandomLib/Generator.php#L266

Any ideas on how I can investigate this further or try something that would fix the issue?

current setup on production is: PHP Version 5.3.10-1ubuntu3.24 Aug 1 2016 20:14:32 SSL Version: OpenSSL/1.0.1 Host: x86_64-pc-linux-gnu Ubuntu 12.04

I don't get this error on my development box which is on virtual box same php version and ubuntu version 12.04, I have checked all the mbstring settings which are on and UTF-8 and other PHP settings are the same.

Appreciate any help or advice on this issue, Thanks.

Hello, I am using this library to generate unique 7 character base62 strings. My code is similar to the following:

$charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

return (new Factory())->getMediumStrengthGenerator()->generateString(7, $charset);

After seeing this issue: https://github.com/ramsey/uuid/issues/80 I was wondering if my system would have collisions as well. I tried a variation of this script and indeed, I had a collision after about 1.2 million generated strings. It is my understanding that there are over 2 trillion possibilities with my system.

I tried increasing the length to 10 (which would give like 400 quadrillion possibilities) and after 12 million keys there were no collisions.

I'm trying to understand why 7 isn't good enough.

Thanks.

Turns the second parameter $characters into a mixed parameter. When passing in an Integer it will be treated as a flag. Relevant flags are available within the Generator class as constants.

Example:

$generator->generateString(16, Generator::LOWER_CASE | Generator::DIGITS);

Yields something similar to:

yofch5qkv2nx0oay

Took inspiration from: http://pwgen-win.sourceforge.net/

add to lib folder, or tell users that they need that library founded in your https://github.com/ircmaxell/SecurityLib/releases. don't know if the installer install securitylib as well, but for users which like the manual download this can be frustrating.

Please tag a new release, because some projects like bolt/bolt started to reference dev-master:

https://github.com/bolt/bolt/blob/master/composer.json

Expanding on the work by @flip111, I have added support for several constant based string combinations.

Please review and provide feedback.

Also note that a few minor bugs with string generation were found and fixed in this attempt, so if this is rejected they should be ported as well.

An extraordinary bug I spotted while reading your source. I decided to double check.

To reproduce: try generating random int using the default arguments of 0 and PHP_INT_MAX. You will ALWAYS get 0 as result.

I added this unit test method as a PoC:

    function test_bug() {
        for ($i = 0; $i < 1000; $i++) {
            $res = $this->generator->generateInt(0, PHP_INT_MAX);
            echo "$res ";
        }
        echo "\n\n";
    }

And got output:

$ vendor/bin/phpunit test
PHPUnit 3.7.28-24-g92e8faf by Sebastian Bergmann.

Configuration read from /private/tmp/RandomLib/phpunit.xml.dist

.....................................0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

..........................  63 / 159 ( 39%)
............................................................... 126 / 159 ( 79%)
.................................

Time: 853 ms, Memory: 7.25Mb

OK (159 tests, 4484 assertions)

The bug comes about due to this line: https://github.com/ircmaxell/RandomLib/blob/master/lib/RandomLib/Generator.php#L113

In case where range is large enough to require 63 bits to represent it, pow(2, 63) is a float with not enough bits to represent it. This means that pow(2, 63) - 1 is actually an IDENTICAL float (i.e. still 9.2233720368548E+18) and so the int cast turns the mask back into 1 << 63.

Your range test case with input array(100000, \PHP_INT_MAX) actually does hit this bug but since you only assert the result is in range it passes (it is infact ALWAYS returning 100000).

Even using 1 << $bits which gives you actual int doesn't help since the result in this case is -9223372036854775808 so the subtraction of 1 gets you back to a float (not enough bits to represent a //lower// number and the int cast gets you right back to the same place.

I think the simplest correct solution would be to add a special case:

if ($bits == 63) {
    $mask = 0x7fffffffffffffff;
} else {
    $mask = (1 << $bits) - 1;
}

Currently the library contains only the Hash mixer, which is a medium strength mixer. Because of that, the high strength generator is not working out of the box.

Since I'm not a security expert, do you have any advice of how to implement one?

I've seen on this issue that this has already been reported.

Thanks,

I am interested in using this library as an option for random test input in Eris, but I was wondering if is possible to seed the generators to get a reproducible test run. This option may depend on the source, as I don't think /dev/urandom is seedable at all while mt_rand() is, albeit by using global state.

Thank you for any pointers.

Hi,

just tried to use the High Strength Generator and received an error with "Could not find mixer". Do you know what causes the issue?

Regards, Jan

Update: Just noticed, that there are no High Strength mixer shipped by default.

OS: Windows

randrange gives security issue. It is less secured to use this function. If it gets integrated with os.urandom, which is a cryprographic PRNG method, it would provide higher security.

Somewhat typical situation with a password is that it should not be totally random - it should for example contain one number, one lowercase character and one uppercase character. Or it should contain a special character.

Currently the passwords are generated entirely randomly. So let's say I wanted to create a password that would match following regexes: ~[0-9]~, ~[a-f]~. Then with $generator->generateString(12, 'abcdef0123456789'); you'll get a password aaaabbbbcccc or something like that that wouldn't match the expected format as it's missing the numbers. It's certainly possible to test the generated password and try again unless it passes, but that may well lead to approximately endless loop.

Do you think it would be possible to extend the generator to add an option to generate random strings that pass typical requirements (contains numbers, uppercase, lowercase, special char)? Or what approach would you suggest in such scenarios?

I'm worried that userland implementations (like replacing random character with rand(0,9) if number is missing) could mean potential security issues and it's something this library tries to prevent.

When i use this library,it get error ( ! ) Fatal error: Class 'SecurityLib\AbstractFactory' not found in C:\wamp64\www\test\RandomLib-master\lib\RandomLib\Factory.php on line 43

ircmaxell/random-lib/lib/RandomLib/AbstractMcryptMixer.php:75

public function __construct() { **$this->mcrypt = mcrypt_module_open($this->getCipher(), '', MCRYPT_MODE_ECB, '');** $this->blockSize = mcrypt_enc_get_block_size($this->mcrypt); $this->initv = str_repeat(chr(0), mcrypt_enc_get_iv_size($this->mcrypt)); }

http://php.net/manual/en/function.mcrypt-module-open.php

This pull request fixes an issue where an XOR operation is done in both AbstractMixer and XORMixer, causing the source from the previous iteration to get XORed with itself, setting it to zero. This in turn causes XORMixer to always return the last source verbatim.

AbstractMixer::mix() contains the following code:

if ($j % 2 == 1) {
    $stub ^= $this->mixParts1($stub, $newKey);
} else {
    $stub ^= $this->mixParts2($stub, $newKey);
}

By inlining XorMixer::mixParts1() and XorMixer::mixParts2(), we get:

if ($j % 2 == 1) {
    $stub = $stub ^ $stub ^ $newKey;
} else {
    $stub = $stub ^ $stub ^ $newKey;
}

which is equivalent to:

if ($j % 2 == 1) {
    $stub = $newKey;
} else {
    $stub = $newKey;
}