Fix #216: Use random_int() when generating boundary

samdark · web-flow · commit e2330cc85f0d · 2021-08-09T10:24:00.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@ Yii Framework 2 HTTP client extension Change Log
 ------------------------
 
 - Enh #215: Added possibility to skip charset in header on `UrlEncodedFormatter::format()` (egorrishe)
-
+- Enh #216: Use `random_int()` when generating boundary (samdark)
 
 2.0.13 December 23, 2020
 ------------------------
diff --git a/composer.json b/composer.json
@@ -18,7 +18,8 @@
         }
     ],
     "require": {
-        "yiisoft/yii2": "~2.0.13"
+        "yiisoft/yii2": "~2.0.13",
+        "paragonie/random_compat": ">=1"
     },
     "require-dev": {
         "cweagans/composer-patches": "^1.7",
diff --git a/src/Request.php b/src/Request.php
@@ -61,7 +61,7 @@ class Request extends Message
      * @var array Stores map (alias => name) of the content parameters
      */
     private $_contentMap = [];
-    /** 
+    /**
      * @var float stores the starttime of the current request with microsecond-precession
      */
     private $_startTime;
@@ -383,7 +383,8 @@ private function prepareMultiPartContent(array $content)
 
         // generate safe boundary :
         do {
-            $boundary = '---------------------' . md5(mt_rand() . microtime());
+
+            $boundary = '---------------------' . md5(random_int(0, PHP_INT_MAX) . microtime());
         } while (preg_grep("/{$boundary}/", $contentParts));
 
         // add boundary for each part :
