From e64b616fb4647a46bb790851e86d7fe3d788eea0 Mon Sep 17 00:00:00 2001 From: Alorel Date: Wed, 18 Nov 2015 21:04:49 +0000 Subject: [PATCH] 1.3.3 --- CHANGELOG.md | 7 + coverage/Alo.php.html | 411 ++++++++++++------------ coverage/dashboard.html | 6 +- coverage/index.html | 2 +- docs/class-AloFramework.Common.Alo.html | 7 +- src/Alo.php | 16 +- 6 files changed, 240 insertions(+), 209 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 647aeab..b6d5ff0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# 1.3.3 # + +The following happened to getUniqid(): + +Default $entropy value set to 10000, a warning is triggered if openssl_random_pseudo_bytes is unable to locate a +cryptographically strong algorithm. + # 1.3.2 # ENT_SUBSTITUTE added to Alo::unXss() diff --git a/coverage/Alo.php.html b/coverage/Alo.php.html index 075a6b5..70fd42b 100644 --- a/coverage/Alo.php.html +++ b/coverage/Alo.php.html @@ -87,7 +87,7 @@
100.00%
15 / 15
- 33 + 34
100.00% covered (success) @@ -141,7 +141,7 @@ -  getUniqid +  getUniqid
100.00% covered (success) @@ -150,7 +150,7 @@
100.00%
1 / 1
- 2 + 3
100.00% covered (success) @@ -162,7 +162,7 @@ -  isIncludable +  isIncludable
100.00% covered (success) @@ -183,7 +183,7 @@ -  includeOnceIfExists +  includeOnceIfExists
100.00% covered (success) @@ -204,7 +204,7 @@ -  isCliRequest +  isCliRequest
100.00% covered (success) @@ -225,7 +225,7 @@ -  isRegularRequest +  isRegularRequest
100.00% covered (success) @@ -246,7 +246,7 @@ -  get +  get
100.00% covered (success) @@ -267,7 +267,7 @@ -  nullget +  nullget
100.00% covered (success) @@ -288,7 +288,7 @@ -  ifnull +  ifnull
100.00% covered (success) @@ -309,7 +309,7 @@ -  ifundefined +  ifundefined
100.00% covered (success) @@ -330,7 +330,7 @@ -  isAjaxRequest +  isAjaxRequest
100.00% covered (success) @@ -351,7 +351,7 @@ -  getFingerprint +  getFingerprint
100.00% covered (success) @@ -372,7 +372,7 @@ -  isTraversable +  isTraversable
100.00% covered (success) @@ -393,7 +393,7 @@ -  unXss +  unXss
100.00% covered (success) @@ -623,198 +623,209 @@          *          * @return string          * @see    https://secure.php.net/manual/en/function.hash.php -          * @since  1.3 -          * @codeCoverageIgnore -          */ -         static function getUniqid($hash = 'sha256', $prefix = '', $entropy = 250, $rawOutput = false) { -             $str = mt_rand(PHP_INT_MIN, PHP_INT_MAX) . json_encode([$_COOKIE, -                                                                     $_REQUEST, -                                                                     $_FILES, -                                                                     $_ENV, -                                                                     $_GET, -                                                                     $_POST, -                                                                     $_SERVER]) . uniqid($prefix, true) . -                    self::asciiRand($entropy, self::ASCII_ALL); - -             if (function_exists('\openssl_random_pseudo_bytes')) { -                 $str .= \openssl_random_pseudo_bytes($entropy); -             } else { -                 trigger_error('The openssl extension is not enabled, therefore the unique ID is not ' . -                               'cryptographically secure.', -                               E_USER_WARNING); -             } - -             return hash($hash, $str, $rawOutput); -         } - -         /** -          * Checks if the path is includable -          * @author Art <a.molcanovas@gmail.com> -          * -          * @param string $path The path -          * -          * @return bool -          */ -         private static function isIncludable($path) { -             return file_exists($path) && is_file($path); -         } - -         /** -          * include_once() a file if it exists -          * @author Art <a.molcanovas@gmail.com> +          * @see    https://secure.php.net/manual/en/function.openssl-random-pseudo-bytes.php +          * @since  1.3.3 Default $entropy value set to 10000, a warning is triggered if openssl_random_pseudo_bytes is +          * unable to locate a cryptographically strong algorithm.<br/> +          *         1.3 +          * @codeCoverageIgnore +          */ +         static function getUniqid($hash = 'sha256', $prefix = '', $entropy = 10000, $rawOutput = false) { +             $str = mt_rand(~PHP_INT_MAX, PHP_INT_MAX) . json_encode([$_COOKIE, +                                                                      $_REQUEST, +                                                                      $_FILES, +                                                                      $_ENV, +                                                                      $_GET, +                                                                      $_POST, +                                                                      $_SERVER]) . uniqid($prefix, true) . +                    self::asciiRand($entropy, self::ASCII_ALL); + +             if (function_exists('\openssl_random_pseudo_bytes')) { +                 $algoStrong = null; +                 $str .= \openssl_random_pseudo_bytes($entropy, $algoStrong); + +                 if ($algoStrong !== true) { +                     trigger_error('Please update your openssl & PHP libraries. openssl_random_pseudo_bytes was unable' . +                                   ' to locate a cryptographically strong algorithm.', +                                   E_USER_WARNING); +                 } +             } else { +                 trigger_error('The openssl extension is not enabled, therefore the unique ID is not ' . +                               'cryptographically secure.', +                               E_USER_WARNING); +             } + +             return hash($hash, $str, $rawOutput); +         } + +         /** +          * Checks if the path is includable +          * @author Art <a.molcanovas@gmail.com> +          * +          * @param string $path The path          * -          * @param string $path Path to the file -          * -          * @return bool True if the file is found, false if not -          */ -         static function includeOnceIfExists($path) { -             if (self::isIncludable($path)) { -                 include_once $path; - -                 return true; -             } - -             return false; -         } - -         /** -          * Checks if we're dealing with a CLI request -          * @author Art <a.molcanovas@gmail.com> -          * @return bool -          */ -         static function isCliRequest() { -             return PHP_SAPI == 'cli' || defined('STDIN'); -         } - -         /** -          * Checks if the request is non-ajax and non-CLI -          * @author Art <a.molcanovas@gmail.com> -          * @return bool -          * @since  1.3 +          * @return bool +          */ +         private static function isIncludable($path) { +             return file_exists($path) && is_file($path); +         } + +         /** +          * include_once() a file if it exists +          * @author Art <a.molcanovas@gmail.com> +          * +          * @param string $path Path to the file +          * +          * @return bool True if the file is found, false if not +          */ +         static function includeOnceIfExists($path) { +             if (self::isIncludable($path)) { +                 include_once $path; + +                 return true; +             } + +             return false; +         } + +         /** +          * Checks if we're dealing with a CLI request +          * @author Art <a.molcanovas@gmail.com> +          * @return bool          */ -         static function isRegularRequest() { -             return !self::isAjaxRequest() && !self::isCliRequest(); +         static function isCliRequest() { +             return PHP_SAPI == 'cli' || defined('STDIN');         }         /** -          * Returns $var if it's set, null if it's not -          * -          * @param mixed $var Reference to the variable -          * -          * @return mixed|null $var if it's set, null if it's not -          */ -         static function get(&$var) { -             return isset($var) ? $var : null; -         } - -         /** -          * Returns $var if it's set and evaluates as true (a non-empty string, non-0 int etc), null otherwise -          * @author Art <a.molcanovas@gmail.com> +          * Checks if the request is non-ajax and non-CLI +          * @author Art <a.molcanovas@gmail.com> +          * @return bool +          * @since  1.3 +          */ +         static function isRegularRequest() { +             return !self::isAjaxRequest() && !self::isCliRequest(); +         } + +         /** +          * Returns $var if it's set, null if it's not +          * +          * @param mixed $var Reference to the variable          * -          * @param mixed $var Reference to the variable -          * -          * @return mixed|null The var or null -          */ -         static function nullget(&$var) { -             return self::get($var) ? $var : null; -         } - -         /** -          * Returns $var if it's set $planB if it's not -          * @author Art <a.molcanovas@gmail.com> +          * @return mixed|null $var if it's set, null if it's not +          */ +         static function get(&$var) { +             return isset($var) ? $var : null; +         } + +         /** +          * Returns $var if it's set and evaluates as true (a non-empty string, non-0 int etc), null otherwise +          * @author Art <a.molcanovas@gmail.com> +          * +          * @param mixed $var Reference to the variable          * -          * @param mixed $var        Reference to the main variable -          * @param mixed $planB      What to return if $var isn't available -          * @param bool  $useNullget If set to true, will use self::nullget(), otherwise will use self::get() to -          *                          determinewhether $var is set -          * -          * @return mixed $var if available, $planB if not -          */ -         static function ifnull(&$var, $planB, $useNullget = false) { -             $v = $useNullget ? self::nullget($var) : self::get($var); - -             return $v !== null ? $v : $planB; -         } - -         /** -          * Returns the value of the constant with the name of $const if it's defined, $planB if it's not -          * @author Art <a.molcanovas@gmail.com> -          * -          * @param string $const Constant name -          * @param mixed  $planB What to return if $const isn't defined -          * -          * @return mixed -          * @since  1.1 -          */ -         static function ifundefined($const, $planB) { -             return defined($const) ? constant($const) : $planB; -         } - -         /** -          * Checks if the request was made via AJAX -          * @author Art <a.molcanovas@gmail.com> -          * @return bool -          */ -         static function isAjaxRequest() { -             return self::get($_SERVER['HTTP_X_REQUESTED_WITH']) == 'XMLHttpRequest'; -         } - -         /** -          * Returns a hashed browser fingerprint -          * +          * @return mixed|null The var or null +          */ +         static function nullget(&$var) { +             return self::get($var) ? $var : null; +         } + +         /** +          * Returns $var if it's set $planB if it's not +          * @author Art <a.molcanovas@gmail.com> +          * +          * @param mixed $var        Reference to the main variable +          * @param mixed $planB      What to return if $var isn't available +          * @param bool  $useNullget If set to true, will use self::nullget(), otherwise will use self::get() to +          *                          determinewhether $var is set +          * +          * @return mixed $var if available, $planB if not +          */ +         static function ifnull(&$var, $planB, $useNullget = false) { +             $v = $useNullget ? self::nullget($var) : self::get($var); + +             return $v !== null ? $v : $planB; +         } + +         /** +          * Returns the value of the constant with the name of $const if it's defined, $planB if it's not +          * @author Art <a.molcanovas@gmail.com> +          * +          * @param string $const Constant name +          * @param mixed  $planB What to return if $const isn't defined +          * +          * @return mixed +          * @since  1.1 +          */ +         static function ifundefined($const, $planB) { +             return defined($const) ? constant($const) : $planB; +         } + +         /** +          * Checks if the request was made via AJAX          * @author Art <a.molcanovas@gmail.com> -          * -          * @param string $hashAlgo Hash algorithm to use -          * -          * @return string -          * @since  1.2 -          */ -         static function getFingerprint($hashAlgo = 'sha256') { -             return hash($hashAlgo, -                         '#QramRAN7*s%6n%@x*53jVVPsnrz@5MY$49o^mhJ8HqY%3a09yJnSWg9lBl$O4CKUb&&S%EgYBjhUZEbhquw$keCjR6I%zMcA!Qr' . -                         self::get($_SERVER['HTTP_USER_AGENT']) . -                         'OE2%fWaZh4jfZPiNXKmHfUw6ok6Z0s#PInaFa8&o#xh#nVyaFaXHPUcv^2y579PnYr5AOs6Zqb!QTAZCgRR968*%QxKc^XNuYYM8' . -                         self::get($_SERVER['HTTP_DNT']) . -                         '%CwyJJ^GAooDl&o0mc%7zbWlD^6tWoNSN&m3cKxWLP8kiBqO!j2PM5wACzyOoa^t7AEJ#FlDT!BMtD$luy%2iZejMVzktaiftpg*' . -                         self::get($_SERVER['HTTP_ACCEPT_LANGUAGE']) . -                         'tep!uTwVXk1CedJq0osEI7p&XCxnC3ipGDWEpTXULEg8J!K1NJSxe4GPor$R3OOb**ZjzPN$$SOHe4ZDcQWQULdtT&XxP2!YYxZy'); -         } - -         /** -          * Checks if the variable is usable in a foreach loop -          * @author Art <a.molcanovas@gmail.com> -          * -          * @param mixed $input The variable -          * -          * @return bool -          * @since  1.2 -          */ -         static function isTraversable($input) { -             return is_array($input) || $input instanceof Traversable; -         } - -         /** -          * Protects the input from cross-site scripting attacks -          * @author Art <a.molcanovas@gmail.com> -          * -          * @param string|array|Traversable $input The scalar input, or an array/Traversable -          * -          * @return string|array|Traversable The escaped string. If an array or traversable was passed on, the input -          * withall its applicable values escaped. -          * @since  1.2 -          */ -         static function unXss($input) { -             if (self::isTraversable($input)) { -                 foreach ($input as &$i) { -                     $i = self::unXss($i); -                 } -             } elseif (is_scalar($input)) { -                 $input = htmlspecialchars($input, ENT_QUOTES | ENT_HTML5); -             } - -             return $input; -         } -     } +          * @return bool +          */ +         static function isAjaxRequest() { +             return self::get($_SERVER['HTTP_X_REQUESTED_WITH']) == 'XMLHttpRequest'; +         } + +         /** +          * Returns a hashed browser fingerprint +          * +          * @author Art <a.molcanovas@gmail.com> +          * +          * @param string $hashAlgo Hash algorithm to use +          * +          * @return string +          * @since  1.2 +          */ +         static function getFingerprint($hashAlgo = 'sha256') { +             return hash($hashAlgo, +                         '#QramRAN7*s%6n%@x*53jVVPsnrz@5MY$49o^mhJ8HqY%3a09yJnSWg9lBl$O4CKUb&&S%EgYBjhUZEbhquw$keCjR6I%zMcA!Qr' . +                         self::get($_SERVER['HTTP_USER_AGENT']) . +                         'OE2%fWaZh4jfZPiNXKmHfUw6ok6Z0s#PInaFa8&o#xh#nVyaFaXHPUcv^2y579PnYr5AOs6Zqb!QTAZCgRR968*%QxKc^XNuYYM8' . +                         self::get($_SERVER['HTTP_DNT']) . +                         '%CwyJJ^GAooDl&o0mc%7zbWlD^6tWoNSN&m3cKxWLP8kiBqO!j2PM5wACzyOoa^t7AEJ#FlDT!BMtD$luy%2iZejMVzktaiftpg*' . +                         self::get($_SERVER['HTTP_ACCEPT_LANGUAGE']) . +                         'tep!uTwVXk1CedJq0osEI7p&XCxnC3ipGDWEpTXULEg8J!K1NJSxe4GPor$R3OOb**ZjzPN$$SOHe4ZDcQWQULdtT&XxP2!YYxZy'); +         } + +         /** +          * Checks if the variable is usable in a foreach loop +          * @author Art <a.molcanovas@gmail.com> +          * +          * @param mixed $input The variable +          * +          * @return bool +          * @since  1.2 +          */ +         static function isTraversable($input) { +             return is_array($input) || $input instanceof Traversable; +         } + +         /** +          * Protects the input from cross-site scripting attacks +          * @author Art <a.molcanovas@gmail.com> +          * +          * @param string|array|Traversable $input The scalar input, or an array/Traversable +          * +          * @return string|array|Traversable The escaped string. If an array or traversable was passed on, the input +          * withall its applicable values escaped. +          * @since  1.3.2 ENT_SUBSTITUTE added<br/> +          *         1.2 +          */ +         static function unXss($input) { +             if (self::isTraversable($input)) { +                 foreach ($input as &$i) { +                     $i = self::unXss($i); +                 } +             } elseif (is_scalar($input)) { +                 $input = htmlspecialchars($input, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE); +             } + +             return $input; +         } +     } @@ -827,7 +838,7 @@

Legend

Dead Code

- Generated by PHP_CodeCoverage 3.0.1 using PHP 5.6.14 and PHPUnit 5.0.8 at Tue Oct 27 16:36:56 GMT 2015. + Generated by PHP_CodeCoverage 3.0.2 using PHP 5.6.15 and PHPUnit 5.0.9 at Wed Nov 18 21:06:08 GMT 2015.

diff --git a/coverage/dashboard.html b/coverage/dashboard.html index 2ef620a..2a2b6ad 100644 --- a/coverage/dashboard.html +++ b/coverage/dashboard.html @@ -136,7 +136,7 @@

Project Risks

@@ -225,7 +225,7 @@

Project Risks

chart.yAxis.axisLabel('Cyclomatic Complexity'); d3.select('#classComplexity svg') - .datum(getComplexityData([[100,33,"Alo<\/a>"]], 'Class Complexity')) + .datum(getComplexityData([[100,34,"Alo<\/a>"]], 'Class Complexity')) .transition() .duration(500) .call(chart); @@ -249,7 +249,7 @@

Project Risks

chart.yAxis.axisLabel('Method Complexity'); d3.select('#methodComplexity svg') - .datum(getComplexityData([[100,2,"
Alo::includeIfExists<\/a>"],[100,4,"Alo::asciiRand<\/a>"],[100,2,"Alo::getUniqid<\/a>"],[100,2,"Alo::isIncludable<\/a>"],[100,2,"Alo::includeOnceIfExists<\/a>"],[100,2,"Alo::isCliRequest<\/a>"],[100,2,"Alo::isRegularRequest<\/a>"],[100,2,"Alo::get<\/a>"],[100,2,"Alo::nullget<\/a>"],[100,3,"Alo::ifnull<\/a>"],[100,2,"Alo::ifundefined<\/a>"],[100,1,"Alo::isAjaxRequest<\/a>"],[100,1,"Alo::getFingerprint<\/a>"],[100,2,"Alo::isTraversable<\/a>"],[100,4,"Alo::unXss<\/a>"]], 'Method Complexity')) + .datum(getComplexityData([[100,2,"Alo::includeIfExists<\/a>"],[100,4,"Alo::asciiRand<\/a>"],[100,3,"Alo::getUniqid<\/a>"],[100,2,"Alo::isIncludable<\/a>"],[100,2,"Alo::includeOnceIfExists<\/a>"],[100,2,"Alo::isCliRequest<\/a>"],[100,2,"Alo::isRegularRequest<\/a>"],[100,2,"Alo::get<\/a>"],[100,2,"Alo::nullget<\/a>"],[100,3,"Alo::ifnull<\/a>"],[100,2,"Alo::ifundefined<\/a>"],[100,1,"Alo::isAjaxRequest<\/a>"],[100,1,"Alo::getFingerprint<\/a>"],[100,2,"Alo::isTraversable<\/a>"],[100,4,"Alo::unXss<\/a>"]], 'Method Complexity')) .transition() .duration(500) .call(chart); diff --git a/coverage/index.html b/coverage/index.html index 1ac9995..5954d4c 100644 --- a/coverage/index.html +++ b/coverage/index.html @@ -108,7 +108,7 @@

Legend

High: 90% to 100%

- Generated by PHP_CodeCoverage 3.0.1 using PHP 5.6.14 and PHPUnit 5.0.8 at Tue Oct 27 16:36:56 GMT 2015. + Generated by PHP_CodeCoverage 3.0.2 using PHP 5.6.15 and PHPUnit 5.0.9 at Wed Nov 18 21:06:08 GMT 2015.

diff --git a/docs/class-AloFramework.Common.Alo.html b/docs/class-AloFramework.Common.Alo.html index cdfae79..a5d5b98 100644 --- a/docs/class-AloFramework.Common.Alo.html +++ b/docs/class-AloFramework.Common.Alo.html @@ -235,7 +235,7 @@

Since

# - getUniqid( string $hash = 'sha256', string $prefix = '', integer $entropy = 250, boolean $rawOutput = false ) + getUniqid( string $hash = 'sha256', string $prefix = '', integer $entropy = 10000, boolean $rawOutput = false )

Generates a unique identifier

@@ -269,11 +269,14 @@

Author

Since

- 1.3
+

1.3.3 Default $entropy value set to 10000, a warning is triggered if openssl_random_pseudo_bytes is +unable to locate a cryptographically strong algorithm.
+ 1.3


See

https://secure.php.net/manual/en/function.hash.php
+ https://secure.php.net/manual/en/function.openssl-random-pseudo-bytes.php

Codecoverageignore

diff --git a/src/Alo.php b/src/Alo.php index 901f027..5e5f8a1 100644 --- a/src/Alo.php +++ b/src/Alo.php @@ -203,10 +203,13 @@ static function asciiRand($length, $subset = self::ASCII_ALL) { * * @return string * @see https://secure.php.net/manual/en/function.hash.php - * @since 1.3 + * @see https://secure.php.net/manual/en/function.openssl-random-pseudo-bytes.php + * @since 1.3.3 Default $entropy value set to 10000, a warning is triggered if openssl_random_pseudo_bytes is + * unable to locate a cryptographically strong algorithm.
+ * 1.3 * @codeCoverageIgnore */ - static function getUniqid($hash = 'sha256', $prefix = '', $entropy = 250, $rawOutput = false) { + static function getUniqid($hash = 'sha256', $prefix = '', $entropy = 10000, $rawOutput = false) { $str = mt_rand(~PHP_INT_MAX, PHP_INT_MAX) . json_encode([$_COOKIE, $_REQUEST, $_FILES, @@ -217,7 +220,14 @@ static function getUniqid($hash = 'sha256', $prefix = '', $entropy = 250, $rawOu self::asciiRand($entropy, self::ASCII_ALL); if (function_exists('\openssl_random_pseudo_bytes')) { - $str .= \openssl_random_pseudo_bytes($entropy); + $algoStrong = null; + $str .= \openssl_random_pseudo_bytes($entropy, $algoStrong); + + if ($algoStrong !== true) { + trigger_error('Please update your openssl & PHP libraries. openssl_random_pseudo_bytes was unable' . + ' to locate a cryptographically strong algorithm.', + E_USER_WARNING); + } } else { trigger_error('The openssl extension is not enabled, therefore the unique ID is not ' . 'cryptographically secure.',