Release 0.8.1

guzzle · Jan 6, 2025 · 92b619b · 92b619b
1 parent 4e4d672
commit 92b619b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 21 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 0.8.1 - 2025-06-01
+
+* Fixed insufficient nonce entropy (CVE-2025-21617)
+
 ## 0.8.0 - 2025-06-01
 
 * Adjusted some method modifiers and added return types

diff --git a/src/Oauth1.php b/src/Oauth1.php
@@ -100,10 +100,7 @@ public function __invoke(callable $handler)
      */
     private function onBefore(RequestInterface $request): RequestInterface
     {
-        $oauthparams = self::getOauthParams(
-            $this->generateNonce($request),
-            $this->config
-        );
+        $oauthparams = self::getOauthParams($this->config);
 
         $oauthparams['oauth_signature'] = $this->getSignature($request, $oauthparams);
         uksort($oauthparams, 'strcmp');
@@ -179,19 +176,6 @@ public function getSignature(RequestInterface $request, array $params): string
         return base64_encode($signature);
     }
 
-    /**
-     * Returns a Nonce Based on the unique id and URL.
-     *
-     * This will allow for multiple requests in parallel with the same exact
-     * timestamp to use separate nonce's.
-     *
-     * @param RequestInterface $request Request to generate a nonce for
-     */
-    private static function generateNonce(RequestInterface $request): string
-    {
-        return sha1(uniqid('', true).$request->getUri()->getHost().$request->getUri()->getPath());
-    }
-
     /**
      * Creates the Signature Base String.
      *
@@ -296,14 +280,13 @@ private function buildAuthorizationHeader(array $params): array
     /**
      * Get the oauth parameters as named by the oauth spec
      *
-     * @param string $nonce  Unique nonce
-     * @param array  $config Configuration options of the plugin.
+     * @param array $config Configuration options of the plugin.
      */
-    private static function getOauthParams(string $nonce, array $config): array
+    private static function getOauthParams(array $config): array
     {
         $params = [
             'oauth_consumer_key' => $config['consumer_key'],
-            'oauth_nonce' => $nonce,
+            'oauth_nonce' => bin2hex(random_bytes(20)),
             'oauth_signature_method' => $config['signature_method'],
             'oauth_timestamp' => time(),
         ];