MAGETWO-47050: Magento 2: encryption keys generated in the admin interface are very weak

Author: Yaroslav Voronoy

app/code/Magento/EncryptionKey/Model/ResourceModel/Key/Change.php

@@ -9,6 +9,7 @@
 use Magento\Framework\Config\ConfigOptionsListConstants;
 use Magento\Framework\Config\Data\ConfigData;
 use Magento\Framework\Config\File\ConfigFilePool;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Encryption key changer resource model
@@ -66,15 +67,13 @@ public function __construct(
         \Magento\Config\Model\Config\Structure $structure,
         \Magento\Framework\Encryption\EncryptorInterface $encryptor,
         \Magento\Framework\App\DeploymentConfig\Writer $writer,
-        \Magento\Framework\Math\Random $random,
         $connectionName = null
     ) {
         $this->encryptor = clone $encryptor;
         parent::__construct($context, $connectionName);
         $this->directory = $filesystem->getDirectoryWrite(DirectoryList::CONFIG);
         $this->structure = $structure;
         $this->writer = $writer;
-        $this->random = $random;
     }
 
     /**
@@ -102,7 +101,7 @@ public function changeEncryptionKey($key = null)
         }
 
         if (null === $key) {
-            $key = md5($this->random->getRandomString(ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE));
+            $key = md5($this->getRandom()->getRandomString(ConfigOptionsListConstants::STORE_KEY_RANDOM_STRING_SIZE));
         }
         $this->encryptor->setNewKey($key);
 
@@ -125,6 +124,19 @@ public function changeEncryptionKey($key = null)
         }
     }
 
+    /**
+     * Get Math Random
+     *
+     * @return \Magento\Framework\Math\Random
+     */
+    public function getRandom()
+    {
+        if (!$this->random) {
+            $this->random = ObjectManager::getInstance()->get('\Magento\Framework\Math\Random');
+        }
+        return $this->random;
+    }
+
     /**
      * Gather all encrypted system config values and re-encrypt them
      *