Merge branch 'preserve_entropy' into 1.3.x

Author: stof

Changelog.md

@@ -1,6 +1,17 @@
 Changelog
 =========
 
+### 1.3.5 (2014-09-04)
+
+This release fixes a security issue. You are encouraged to update
+as soon as possible.
+
+BC break: The characters used in generated tokens have changed. They
+now include dashes and underscores as well. Any routing requirement
+matching them should be updated to ``[\w\-]+``.
+
+* Fixed the TokenGenerator to preserve entropy.
+
 ### 1.3.4 (2014-06-13)
 
 * Fixed the compatibility with FrameworkBundle 2.5

Upgrade.md

@@ -4,6 +4,30 @@ Upgrade instruction
 This document describes the changes needed when upgrading because of a BC
 break. For the full list of changes, please look at the Changelog file.
 
+## 1.3.4 to 1.3.5
+
+The characters used in generated tokens have changed. They now include dashes
+and underscores as well. Any routing requirement matching them should be
+updated to ``[\w\-]+``.
+
+Before:
+
+```yaml
+my_route:
+    path: /{token}
+    requirement:
+        token: \w+
+```
+
+After:
+
+```yaml
+my_route:
+    path: /{token}
+    requirement:
+        token: '[\w\-]+'
+```
+
 ## 1.2 to 1.3
 
 ### Forms

Util/TokenGenerator.php

@@ -37,7 +37,7 @@ public function __construct(LoggerInterface $logger = null)
 
     public function generateToken()
     {
-        return base_convert(bin2hex($this->getRandomNumber()), 16, 36);
+        return rtrim(strtr(base64_encode($this->getRandomNumber()), '+/', '-_'), '=');
     }
 
     private function getRandomNumber()