Note: I have been asked to log all the security issues that I have found by an OWASP contributor to support the decision to abandon this project. My personal opinion is that all of the code in this repository is beyond repair and that it is not wise to attempt to fix it.
openssl_random_psuedo_bytes can return FALSE and it can also set an optional second parameter to declare whether it managed to securely generate a random value or not.
The outputs should be checked and the function should fail hard if there has been an issue.
Note: I have been asked to log all the security issues that I have found by an OWASP contributor to support the decision to abandon this project. My personal opinion is that all of the code in this repository is beyond repair and that it is not wise to attempt to fix it.
openssl_random_psuedo_bytes
can return FALSE and it can also set an optional second parameter to declare whether it managed to securely generate a random value or not.The outputs should be checked and the function should fail hard if there has been an issue.
https://github.com/OWASP/phpsec/blob/1999edc10a3b755ff2b17bb78376bd53dd40d192/libs/core/random.php#L52
https://github.com/OWASP/phpsec/blob/1999edc10a3b755ff2b17bb78376bd53dd40d192/libs/core/random.php#L114