Skip to content

do not use uniqid() for generating dev tool tokens #57746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 18, 2024
Merged

do not use uniqid() for generating dev tool tokens #57746

merged 1 commit into from
Jul 18, 2024

Conversation

xabbuh
Copy link
Member

@xabbuh xabbuh commented Jul 17, 2024

Q A
Branch? 7.2
Bug fix? no
New feature? no
Deprecations? no
Issues part of #57588
License MIT

@xabbuh xabbuh requested a review from dunglas as a code owner July 17, 2024 08:16
@carsonbot carsonbot added this to the 7.2 milestone Jul 17, 2024
alexandre-daubois
alexandre-daubois approved these changes Jul 17, 2024
View reviewed changes
Copy link
Member

@alexandre-daubois alexandre-daubois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@OskarStark OskarStark changed the title do not use uniqid() for generating dev tool tokens do not use uniqid() for generating dev tool tokens Jul 17, 2024
@derrabus
Copy link
Member

How important is it to have collision-free tokens? I mean, the places where we've cut six characters out of a hash were certainly not collision-free, but TraceableSerializer used the (allegedly) collision-free uniqid() directly.

@xabbuh
Copy link
Member Author

xabbuh commented Jul 17, 2024

We could increase the length of the generated string. What do you think about that?

nicolas-grekas
nicolas-grekas approved these changes Jul 18, 2024
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go with 4 bytes then?

@xabbuh
Copy link
Member Author

xabbuh commented Jul 18, 2024

updated for four random bytes

@nicolas-grekas
Copy link
Member

Thank you @xabbuh.

@nicolas-grekas nicolas-grekas merged commit 9a02660 into symfony:7.2 Jul 18, 2024
7 of 10 checks passed
@xabbuh xabbuh deleted the issue-57588 branch July 18, 2024 09:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derrabus derrabus derrabus left review comments

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@GromNaN GromNaN GromNaN approved these changes

@alexandre-daubois alexandre-daubois alexandre-daubois approved these changes

@dunglas dunglas Awaiting requested review from dunglas dunglas is a code owner

Assignees
No one assigned
Labels
Status: Reviewed
Projects
None yet
Milestone
7.2
Development

Successfully merging this pull request may close these issues.
6 participants
@xabbuh @derrabus @nicolas-grekas @GromNaN @alexandre-daubois @carsonbot