From 64460d53968818be036b15fc9ba005355a0decef Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Thu, 2 Jul 2015 11:41:19 +0200 Subject: [PATCH 1/2] Added a tip about hashing the result of nextBytes() --- components/security/secure_tools.rst | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/components/security/secure_tools.rst b/components/security/secure_tools.rst index 2ee5a98b920..c0e6965efb9 100644 --- a/components/security/secure_tools.rst +++ b/components/security/secure_tools.rst @@ -54,7 +54,14 @@ to work correctly. Just pass a file name to enable it:: .. note:: - If you're using the Symfony Framework, you can access a secure random - instance directly from the container: its name is ``security.secure_random``. + If you're using the Symfony Framework, you can get a secure random number + generator via the ``security.secure_random`` service. + +.. tip:: + + The ``nextBytes()`` method returns a binary string which may contain the + ``\0`` character. If you store this value in a database or include it as + part of the URL, make sure to hash the value returned by ``nextBytes()`` + (to do that, you can use a simple ``md5()`` PHP function). .. _`Timing attack`: http://en.wikipedia.org/wiki/Timing_attack From 1a4b5fab1992c931ca271d53a16e9836e1b46dce Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Fri, 10 Jul 2015 13:19:25 +0200 Subject: [PATCH 2/2] Reword --- components/security/secure_tools.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/components/security/secure_tools.rst b/components/security/secure_tools.rst index c0e6965efb9..924b0795c29 100644 --- a/components/security/secure_tools.rst +++ b/components/security/secure_tools.rst @@ -60,8 +60,9 @@ to work correctly. Just pass a file name to enable it:: .. tip:: The ``nextBytes()`` method returns a binary string which may contain the - ``\0`` character. If you store this value in a database or include it as - part of the URL, make sure to hash the value returned by ``nextBytes()`` - (to do that, you can use a simple ``md5()`` PHP function). + ``\0`` character. This can cause troubles in lots of common scenarios, such + as storing this value in a database or including it as part of the URL. The + solution is to hash the value returned by ``nextBytes()`` (to do that, you + can use a simple ``md5()`` PHP function). .. _`Timing attack`: http://en.wikipedia.org/wiki/Timing_attack