Wrong implementation of function create_guid() suggest to convert mt_rand -> mt_srand

SuiteCRM Forum - English Language Developer Collaboration
#1

Hi all,

I have noticed the guids are very similar in the middle part. And seems due to the use of mt_rand Php function in create_guid_section() used by create_guid().

05c187c1-136a-11e5-bbe6-001e4f2417ce
05d0f8c2-136a-11e5-bbe6-001e4f2417ce
05d19b7e-136a-11e5-bbe6-001e4f2417ce
05d23c6c-136a-11e5-bbe6-001e4f2417ce
05d2f384-136a-11e5-bbe6-001e4f2417ce
05d38c8d-136a-11e5-bbe6-001e4f2417ce
05d429fe-136a-11e5-bbe6-001e4f2417ce
05d4cbb2-136a-11e5-bbe6-001e4f2417ce
05d56d91-136a-11e5-bbe6-001e4f2417ce
05d607ab-136a-11e5-bbe6-001e4f2417ce
05d6a3b3-136a-11e5-bbe6-001e4f2417ce

function create_guid()
{
    $microTime = microtime();
    list($a_dec, $a_sec) = explode(' ', $microTime);

    $dec_hex = dechex($a_dec * 1000000);
    $sec_hex = dechex($a_sec);

    ensure_length($dec_hex, 5);
    ensure_length($sec_hex, 6);

    $guid = '';
    $guid .= $dec_hex;
    $guid .= create_guid_section(3);
    $guid .= '-';
    $guid .= create_guid_section(4);
    $guid .= '-';
    $guid .= create_guid_section(4);
    $guid .= '-';
    $guid .= create_guid_section(4);
    $guid .= '-';
    $guid .= $sec_hex;
    $guid .= create_guid_section(6);

    return $guid;
}

function create_guid_section($characters)
{
    $return = '';
    for ($i = 0; $i < $characters; ++$i) {
        $return .= dechex(mt_rand(0, 15));
    }

    return $return;
}

Why not using safer mt_srand ?
Tnks,
Jacopo

#2

I read a few things about this and

  • from PHP 5.4 on, it seems the seeding is automatically done whenever mt_rand is called for the first time::

https://stackoverflow.com/questions/11358691/how-is-phps-mt-rand-seeded

  • there’s a lot of talk online about how insecure mt_rand is, and it is in fact, but that’s when you use the randomization for cryptographic purposes, which is not the case at all here. These IDs simply need to be unique, there is no security mechanism relying on IDs in SuiteCRM.

  • my IDs look random, unlike yours. I don’t see that similarity you’re seeing. Is your PHP under 5.4? (Remember PHP 5.5 is the minimum supported version for SuiteCRM).

#3

Hi,
thanks for yours answer.
I use PHP 7.0.25 and I just want to point that on big numbers potentially could be a collision issue.

j

#4

Well, I don’t know… I would like to understand why your system doesn’t produce varied numbers, and mine does:


-rwxrwxr-x  1 www-data www-data    8558 Apr 15  2017 31b1f1f2-cb4c-8ba7-222c-58f234025094*
-rwxrwxr-x  1 www-data www-data   10992 Apr 15  2017 aa027c74-4bfd-04a4-e148-58f1dfcb7265*
-rwxrwxr-x  1 www-data www-data   84656 Apr 15  2017 b30658bf-fe4a-1ea0-3d00-58f1dfebba58*
-rwxrwxr-x  1 www-data www-data   10992 Apr 15  2017 bd201a70-93d7-50c8-bfc4-58f1ef05ca5a*
-rwxrwxr-x  1 www-data www-data   10992 Apr 15  2017 f30cdc9e-f2a1-84a3-01ad-58f22fb7e603*

These are all created in the same day, for files in the upload directory.

Anyway, mt_srand would not change anything, since from PHP 5.4 it actually gets called automatically when you call mt_rand…