From 1165a89d8ceffe6ddb05292efd6b7a95fac43939 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 14 Oct 2015 17:53:09 -0400
Subject: [PATCH] 0-pad to length in random string generation

Otherwise shorter strings might be generated.

Bug: T115522
Change-Id: I3569218ea840e9de7a3fe458acf474e3dac6d1ab
---
 includes/User.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/includes/User.php b/includes/User.php
index 75649a7..d2838a7 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -1030,11 +1030,10 @@ class User implements IDBAccessObject {
 		// stopping at a minimum of 10 chars.
 		$length = max( 10, $wgMinimalPasswordLength );
 		// Multiply by 1.25 to get the number of hex characters we need
-		$length = $length * 1.25;
 		// Generate random hex chars
-		$hex = MWCryptRand::generateHex( $length );
+		$hex = MWCryptRand::generateHex( ceil( $length * 1.25 ) );
 		// Convert from base 16 to base 32 to get a proper password like string
-		return wfBaseConvert( $hex, 16, 32 );
+		return substr( wfBaseConvert( $hex, 16, 32, $length ), -$length );
 	}
 
 	/**
-- 
2.6.1