"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "framework/base/Security.php" between
yii2-2.0.35.tar.gz and yii2-2.0.36.tar.gz

About: Yii 2 is a high-performance component-based PHP framework for developing large-scale Web applications (source).

Security.php  (yii2-2.0.35):Security.php  (yii2-2.0.36)
skipping to change at line 95 skipping to change at line 95
public $passwordHashStrategy; public $passwordHashStrategy;
/** /**
* @var int Default cost used for password hashing. * @var int Default cost used for password hashing.
* Allowed value is between 4 and 31. * Allowed value is between 4 and 31.
* @see generatePasswordHash() * @see generatePasswordHash()
* @since 2.0.6 * @since 2.0.6
*/ */
public $passwordHashCost = 13; public $passwordHashCost = 13;
/** /**
* @var boolean if LibreSSL should be used.
* The recent (> 2.1.5) LibreSSL RNGs are faster and likely better than /dev
/urandom.
*/
private $_useLibreSSL;
/**
* @return bool if LibreSSL should be used
* Use version is 2.1.5 or higher.
* @since 2.0.36
*/
protected function shouldUseLibreSSL()
{
if ($this->_useLibreSSL === null) {
// Parse OPENSSL_VERSION_TEXT because OPENSSL_VERSION_NUMBER is no u
se for LibreSSL.
// https://bugs.php.net/bug.php?id=71143
$this->_useLibreSSL = defined('OPENSSL_VERSION_TEXT')
&& preg_match('{^LibreSSL (\d\d?)\.(\d\d?)\.(\d\d?)$}', OPENSSL_
VERSION_TEXT, $matches)
&& (10000 * $matches[1]) + (100 * $matches[2]) + $matches[3] >=
20105;
}
return $this->_useLibreSSL;
}
/**
* @return bool if operating system is Windows
*/
private function isWindows()
{
return DIRECTORY_SEPARATOR !== '/';
}
/**
* Encrypts data using a password. * Encrypts data using a password.
* Derives keys for encryption and authentication from the password using PB KDF2 and a random salt, * Derives keys for encryption and authentication from the password using PB KDF2 and a random salt,
* which is deliberately slow to protect against dictionary attacks. Use [[e ncryptByKey()]] to * which is deliberately slow to protect against dictionary attacks. Use [[e ncryptByKey()]] to
* encrypt fast using a cryptographic key rather than a password. Key deriva tion time is * encrypt fast using a cryptographic key rather than a password. Key deriva tion time is
* determined by [[$derivationIterations]], which should be set as high as p ossible. * determined by [[$derivationIterations]], which should be set as high as p ossible.
* The encrypted data includes a keyed message authentication code (MAC) so there is no need * The encrypted data includes a keyed message authentication code (MAC) so there is no need
* to hash input or output data. * to hash input or output data.
* > Note: Avoid encrypting with passwords wherever possible. Nothing can pr otect against * > Note: Avoid encrypting with passwords wherever possible. Nothing can pr otect against
* poor-quality or compromised passwords. * poor-quality or compromised passwords.
* @param string $data the data to encrypt * @param string $data the data to encrypt
skipping to change at line 441 skipping to change at line 473
$calculatedHash = hash_hmac($this->macHash, $pureData, $key, $rawHas h); $calculatedHash = hash_hmac($this->macHash, $pureData, $key, $rawHas h);
if ($this->compareString($hash, $calculatedHash)) { if ($this->compareString($hash, $calculatedHash)) {
return $pureData; return $pureData;
} }
} }
return false; return false;
} }
private $_useLibreSSL;
private $_randomFile; private $_randomFile;
/** /**
* Generates specified number of random bytes. * Generates specified number of random bytes.
* Note that output may not be ASCII. * Note that output may not be ASCII.
* @see generateRandomString() if you need a string. * @see generateRandomString() if you need a string.
* *
* @param int $length the number of bytes to generate * @param int $length the number of bytes to generate
* @return string the generated random bytes * @return string the generated random bytes
* @throws InvalidArgumentException if wrong length is specified * @throws InvalidArgumentException if wrong length is specified
skipping to change at line 470 skipping to change at line 501
if ($length < 1) { if ($length < 1) {
throw new InvalidArgumentException('First parameter ($length) must b e greater than 0'); throw new InvalidArgumentException('First parameter ($length) must b e greater than 0');
} }
// always use random_bytes() if it is available // always use random_bytes() if it is available
if (function_exists('random_bytes')) { if (function_exists('random_bytes')) {
return random_bytes($length); return random_bytes($length);
} }
// The recent LibreSSL RNGs are faster and likely better than /dev/urand om. // The recent LibreSSL RNGs are faster and likely better than /dev/urand om.
// Parse OPENSSL_VERSION_TEXT because OPENSSL_VERSION_NUMBER is no use f
or LibreSSL.
// https://bugs.php.net/bug.php?id=71143
if ($this->_useLibreSSL === null) {
$this->_useLibreSSL = defined('OPENSSL_VERSION_TEXT')
&& preg_match('{^LibreSSL (\d\d?)\.(\d\d?)\.(\d\d?)$}', OPENSSL_
VERSION_TEXT, $matches)
&& (10000 * $matches[1]) + (100 * $matches[2]) + $matches[3] >=
20105;
}
// Since 5.4.0, openssl_random_pseudo_bytes() reads from CryptGenRandom on Windows instead // Since 5.4.0, openssl_random_pseudo_bytes() reads from CryptGenRandom on Windows instead
// of using OpenSSL library. LibreSSL is OK everywhere but don't use Ope nSSL on non-Windows. // of using OpenSSL library. LibreSSL is OK everywhere but don't use Ope nSSL on non-Windows.
if (function_exists('openssl_random_pseudo_bytes') if (function_exists('openssl_random_pseudo_bytes')
&& ($this->_useLibreSSL && ($this->shouldUseLibreSSL() || $this->isWindows())
|| (
DIRECTORY_SEPARATOR !== '/'
&& substr_compare(PHP_OS, 'win', 0, 3, true) === 0
))
) { ) {
$key = openssl_random_pseudo_bytes($length, $cryptoStrong); $key = openssl_random_pseudo_bytes($length, $cryptoStrong);
if ($cryptoStrong === false) { if ($cryptoStrong === false) {
throw new Exception( throw new Exception(
'openssl_random_pseudo_bytes() set $crypto_strong false. You r PHP setup is insecure.' 'openssl_random_pseudo_bytes() set $crypto_strong false. You r PHP setup is insecure.'
); );
} }
if ($key !== false && StringHelper::byteLength($key) === $length) { if ($key !== false && StringHelper::byteLength($key) === $length) {
return $key; return $key;
} }
skipping to change at line 508 skipping to change at line 527
// mcrypt_create_iv() does not use libmcrypt. Since PHP 5.3.7 it directl y reads // mcrypt_create_iv() does not use libmcrypt. Since PHP 5.3.7 it directl y reads
// CryptGenRandom on Windows. Elsewhere it directly reads /dev/urandom. // CryptGenRandom on Windows. Elsewhere it directly reads /dev/urandom.
if (function_exists('mcrypt_create_iv')) { if (function_exists('mcrypt_create_iv')) {
$key = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); $key = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
if (StringHelper::byteLength($key) === $length) { if (StringHelper::byteLength($key) === $length) {
return $key; return $key;
} }
} }
// If not on Windows, try to open a random device. // If not on Windows, try to open a random device.
if ($this->_randomFile === null && DIRECTORY_SEPARATOR === '/') { if ($this->_randomFile === null && !$this->isWindows()) {
// urandom is a symlink to random on FreeBSD. // urandom is a symlink to random on FreeBSD.
$device = PHP_OS === 'FreeBSD' ? '/dev/random' : '/dev/urandom'; $device = PHP_OS === 'FreeBSD' ? '/dev/random' : '/dev/urandom';
// Check random device for special character device protection mode. Use lstat() // Check random device for special character device protection mode. Use lstat()
// instead of stat() in case an attacker arranges a symlink to a fak e device. // instead of stat() in case an attacker arranges a symlink to a fak e device.
$lstat = @lstat($device); $lstat = @lstat($device);
if ($lstat !== false && ($lstat['mode'] & 0170000) === 020000) { if ($lstat !== false && ($lstat['mode'] & 0170000) === 020000) {
$this->_randomFile = fopen($device, 'rb') ?: null; $this->_randomFile = fopen($device, 'rb') ?: null;
if (is_resource($this->_randomFile)) { if (is_resource($this->_randomFile)) {
// Reduce PHP stream buffer from default 8192 bytes to optim ize data // Reduce PHP stream buffer from default 8192 bytes to optim ize data
 End of changes. 5 change blocks. 
18 lines changed or deleted 38 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)