jenkins-bot has submitted this change and it was merged.
Change subject: wfRandomString: Correct bias toward digits 1-7
......................................................................
wfRandomString: Correct bias toward digits 1-7
Two problems with a single line of code:
* dechex() does not include leading zeros, so the first digit
generated in each iteration cannot be zero unless the return
value of mt_rand() is 0.
This also means wfRandomString() is extremely unlikely to
start a string with '0'.
* mt_rand() does not actually uniformly distribute values over
[0,2^32-1]; it actually right-shifts one of the bits off (just
because "[...] the previous php_rand only returns 31 at most"),
so the maximum value is 0x7fffffff, not 0xffffffff.
This means wfRandomString() will never start a string with
any of the digits 8-f.
Including leading zeros and using only the 28 LSBs to form seven
hex digits at a time is the simplest fix.
Change-Id: Ic19b5b97c582485780b24fd35ffef2111cc8b3ca
---
M RELEASE-NOTES-1.22
M includes/GlobalFunctions.php
2 files changed, 4 insertions(+), 2 deletions(-)
Approvals:
Tim Starling: Looks good to me, approved
jenkins-bot: Verified
diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22
index ec424d3..f0ec6bb 100644
--- a/RELEASE-NOTES-1.22
+++ b/RELEASE-NOTES-1.22
@@ -63,6 +63,8 @@
* (bug 46768) Usernames of blocking users now display correctly, even if
numeric.
* (bug 39590) {{PAGESIZE}} for the current page and self-transclusions now
show the most up to date result always instead of being a revision behind.
+* A bias in wfRandomString() toward digits 1-7 has been corrected. Generated
+ strings now can start with digits 0 and 8-f.
=== API changes in 1.22 ===
* (bug 46626) xmldoublequote parameter was removed. Because of a bug, the
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 50287b3..43caf7a 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -322,8 +322,8 @@
*/
function wfRandomString( $length = 32 ) {
$str = '';
- while ( strlen( $str ) < $length ) {
- $str .= dechex( mt_rand() );
+ for ( $n = 0; $n < $length; $n += 7 ) {
+ $str .= sprintf( '%07x', mt_rand() & 0xfffffff );
}
return substr( $str, 0, $length );
}
--
To view, visit https://gerrit.wikimedia.org/r/61345
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ic19b5b97c582485780b24fd35ffef2111cc8b3ca
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: PleaseStand <pleasest...@live.com>
Gerrit-Reviewer: Aaron Schulz <asch...@wikimedia.org>
Gerrit-Reviewer: Daniel Friesen <dan...@nadir-seen-fire.com>
Gerrit-Reviewer: Parent5446 <tylerro...@gmail.com>
Gerrit-Reviewer: Tim Starling <tstarl...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
