From e6b96f8873fed46e71e0d34cddb81c533167f954 Mon Sep 17 00:00:00 2001
From: Trim21 <trim21.me@gmail.com>
Date: Sun, 23 Jul 2023 04:47:35 +0800
Subject: [PATCH] docs: add comments to util.go `randomString` (#2494)

* Update util.go
---
 middleware/util.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/middleware/util.go b/middleware/util.go
index 0aa0420fc..4d2d172fc 100644
--- a/middleware/util.go
+++ b/middleware/util.go
@@ -74,6 +74,12 @@ func randomString(length uint8) string {
 	r := make([]byte, length+(length/4)) // perf: avoid read from rand.Reader many times
 	var i uint8 = 0
 
+	// security note:
+	// we can't just simply do b[i]=randomStringCharset[rb%len(randomStringCharset)],
+	// len(len(randomStringCharset)) is 52, and rb is [0, 255], 256 = 52 * 4 + 48.
+	// make the first 48 characters more possibly to be generated then others.
+	// So we have to skip bytes when rb > randomStringMaxByte
+
 	for {
 		_, err := io.ReadFull(reader, r)
 		if err != nil {