[SECURITY] 0-pad to length in random string generation

Otherwise shorter strings might be generated.

Bug: T115522
Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
Change-Id: I110d873d56762552060fd428c236c8b0e9a859b0

diff --git a/includes/password/PasswordFactory.php b/includes/password/PasswordFactory.php
index 6b634cb..f80e158 100644 (file)
--- a/includes/password/PasswordFactory.php
+++ b/includes/password/PasswordFactory.php
@@ -200,11 +200,10 @@ final class PasswordFactory {
                // stopping at a minimum of 10 chars.
                $length = max( 10, $minLength );
                // Multiply by 1.25 to get the number of hex characters we need
-               $length = $length * 1.25;
                // Generate random hex chars
-               $hex = MWCryptRand::generateHex( $length );
+               $hex = MWCryptRand::generateHex( ceil( $length * 1.25 ) );
                // Convert from base 16 to base 32 to get a proper password like string
-               return Wikimedia\base_convert( $hex, 16, 32 );
+               return substr( Wikimedia\base_convert( $hex, 16, 32, $length ), -$length );
        }
 
        /**