Feature Proposal: Add a function to generate a cryptographically secure random string
Currently we use perl's rand() function to generate strings where needed. It's used in several places in core, including password salt, registration tokens, etc. This is not aligned with best practices. Rather than implement a string generator in multiple places, add it to Foswiki.pm
It might be useful to expose this in Foswiki::Func. However as the source of entropy for strong random strings is limited, it might be best to reserve it for use where truly required.
Description and Documentation
Add Foswiki::randomString( length, from-characters). It would use CPAN:Bytes::Random::Secure
to return a string of the requested length. If the dependency is missing, it falls back to the original Foswiki/TWiki algorithm.
Use this function anywhere random strings are required including
- password salt
- registration token
- validation token
- request cache
It's possible to deplete system entropy if re-seeded too frequently. The default is to use
on *nix systems to avoid blocking on insufficient entropy. The code should load on demand to minimize seeding the RNG when not required.
-- Contributors: GeorgeClark
- 30 Sep 2017
Changes are all checked into the Item14506
branch. Awaiting merge.
- 05 Dec 2017