XenForo
Administrative
- Thread starter
- Admin
- #1
\XF\Util\Random::getRandomString() generates a cryptographically secure random value (by calling \XF\Util\Random::getRandomBytes()) but then calls base64_encode to generate a string from those bytes.AFAIK,
base64_encode is not constant time so could be vulnerable to timing attacks.It might therefore be better to use
sodium_bin2base64 instead (if available) or fallback to bundled ParagonIE_Sodium_Core_Base64_UrlSafe if not.Read more about this Feed . . .