From a0f1c07be2b507b6a395865ee40e83af8632f9b6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 11:44:31 +0000 Subject: [PATCH 1/2] Initial plan From 758227b0a765b13d46d016a28edbfacf3f41071e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 29 Jan 2026 12:03:52 +0000 Subject: [PATCH 2/2] Fix order token generator entropy by using random_int() and 32-char tokens Co-authored-by: dpfaffenbauer <5981845+dpfaffenbauer@users.noreply.github.com> --- .../Controller/CheckoutController.php | 2 +- .../Component/Order/Factory/OrderFactory.php | 2 +- .../TokenGenerator/UniqueTokenGenerator.php | 24 ++----------------- .../Factory/StorageListFactory.php | 2 +- 4 files changed, 5 insertions(+), 25 deletions(-) diff --git a/src/CoreShop/Bundle/FrontendBundle/Controller/CheckoutController.php b/src/CoreShop/Bundle/FrontendBundle/Controller/CheckoutController.php index 8b97056ea4..ae12777486 100644 --- a/src/CoreShop/Bundle/FrontendBundle/Controller/CheckoutController.php +++ b/src/CoreShop/Bundle/FrontendBundle/Controller/CheckoutController.php @@ -211,7 +211,7 @@ public function doCheckoutAction(Request $request): Response //@Todo: remove with CoreShop 5.0 if (!$order->getToken()) { $tokenGenerator = new UniqueTokenGenerator(); - $order->setToken($tokenGenerator->generate(10)); + $order->setToken($tokenGenerator->generate(32)); $order->save(); } diff --git a/src/CoreShop/Component/Order/Factory/OrderFactory.php b/src/CoreShop/Component/Order/Factory/OrderFactory.php index f43ea49f62..82afb2b0ca 100644 --- a/src/CoreShop/Component/Order/Factory/OrderFactory.php +++ b/src/CoreShop/Component/Order/Factory/OrderFactory.php @@ -34,7 +34,7 @@ class OrderFactory implements StorageListFactoryInterface public function __construct( private FactoryInterface $cartFactory, private UniqueTokenGenerator $tokenGenerator, - private int $tokenLength = 10, + private int $tokenLength = 32, ) { } diff --git a/src/CoreShop/Component/Resource/TokenGenerator/UniqueTokenGenerator.php b/src/CoreShop/Component/Resource/TokenGenerator/UniqueTokenGenerator.php index 55ae34ab59..5026a36c54 100644 --- a/src/CoreShop/Component/Resource/TokenGenerator/UniqueTokenGenerator.php +++ b/src/CoreShop/Component/Resource/TokenGenerator/UniqueTokenGenerator.php @@ -49,33 +49,13 @@ public function __construct( public function generate(int $length): string { $token = ''; + $maxIndex = $this->keyLength - 1; for ($i = 0; $i < $length; ++$i) { - $randomKey = $this->getRandomInteger($this->keyLength); + $randomKey = random_int(0, $maxIndex); $token .= $this->keys[$randomKey]; } return $token; } - - private function getRandomInteger(int $max): int - { - $range = ($max - 0); - - if ($range < 0) { - return 0; - } - - $log = log($range, 2); - $bytes = (int) ($log / 8) + 1; - $bits = (int) $log + 1; - $filter = (1 << $bits) - 1; - - do { - $rnd = hexdec(bin2hex(openssl_random_pseudo_bytes($bytes))); - $rnd = $rnd & $filter; - } while ($rnd >= $range); - - return 0 + $rnd; - } } diff --git a/src/CoreShop/Component/StorageList/Factory/StorageListFactory.php b/src/CoreShop/Component/StorageList/Factory/StorageListFactory.php index 0dd7934b66..ca985d2845 100644 --- a/src/CoreShop/Component/StorageList/Factory/StorageListFactory.php +++ b/src/CoreShop/Component/StorageList/Factory/StorageListFactory.php @@ -46,7 +46,7 @@ public function createNew() if ($storageList instanceof TokenAwareStorageListInterface) { $tokenGenerator = new UniqueTokenGenerator(); - $storageList->setToken($tokenGenerator->generate(10)); + $storageList->setToken($tokenGenerator->generate(32)); } return $storageList;