Feature Proposal: Add a function to generate a cryptographically secure random string

Motivation

Currently we use perl's rand() function to generate strings where needed. It's used in several places in core, including password salt, registration tokens, etc. This is not aligned with best practices. Rather than implement a string generator in multiple places, add it to Foswiki.pm

It might be useful to expose this in Foswiki::Func. However as the source of entropy for strong random strings is limited, it might be best to reserve it for use where truly required.

Description and Documentation

Add Foswiki::randomString( length, from-characters). It would use CPAN:Bytes::Random::Secure to return a string of the requested length. If the dependency is missing, it falls back to the original Foswiki/TWiki algorithm.

Use this function anywhere random strings are required including

• password salt
• registration token
• validation token
• request cache

Examples

Impact

It's possible to deplete system entropy if re-seeded too frequently. The default is to use dev/urandom on *nix systems to avoid blocking on insufficient entropy. The code should load on demand to minimize seeding the RNG when not required.

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: GeorgeClark - 30 Sep 2017

Discussion

Changes are all checked into the Item14506 branch. Awaiting merge.

-- GeorgeClark - 05 Dec 2017

Commenting is disabled while not logged in