Fix bug #47890 #73215 uniqid() should use better random source

diff --git a/ext/standard/uniqid.c b/ext/standard/uniqid.c
index f429e6d4a0e8e414687b82a0536ebf1be7de8aa4..207cf01cb86b6dd88d85000d994d191be20e920e 100644 (file)
--- a/ext/standard/uniqid.c
+++ b/ext/standard/uniqid.c
@@ -35,9 +35,11 @@
 #include <sys/time.h>
 #endif
 
-#include "php_lcg.h"
+#include "php_random.h"
 #include "uniqid.h"
 
+#define PHP_UNIQID_ENTROPY_LEN 10
+
 /* {{{ proto string uniqid([string prefix [, bool more_entropy]])
    Generates a unique ID */
 #ifdef HAVE_GETTIMEOFDAY
@@ -77,7 +79,22 @@ PHP_FUNCTION(uniqid)
         * digits for usecs.
         */
        if (more_entropy) {
-               uniqid = strpprintf(0, "%s%08x%05x%.8F", prefix, sec, usec, php_combined_lcg() * 10);
+               int i;
+               unsigned char c, entropy[PHP_UNIQID_ENTROPY_LEN+1];
+
+               for(i = 0; i < PHP_UNIQID_ENTROPY_LEN;) {
+                       php_random_bytes_throw(&c, sizeof(c));
+                       /* Avoid modulo bias */
+                       if (c > 249) {
+                               continue;
+                       }
+                       entropy[i] = c % 10 + '0';
+                       i++;
+               }
+               /* Set . for compatibility */
+               entropy[1] = '.';
+               entropy[PHP_UNIQID_ENTROPY_LEN] = '\0';
+               uniqid = strpprintf(0, "%s%08x%05x%s", prefix, sec, usec, entropy);
        } else {
                uniqid = strpprintf(0, "%s%08x%05x", prefix, sec, usec);
        }