diff --git a/index.php b/index.php index 61822773..4747c0ce 100644 --- a/index.php +++ b/index.php @@ -345,8 +345,8 @@ if ($action == 'forgotpwd') { if ($user !== false) { // build a activation code $timestamp = time(); - $first = substr(md5($user['loginname'] . $timestamp . rand(0, $timestamp)), 0, 15); - $third = substr(md5($user['email'] . $timestamp . rand(0, $timestamp)), -15); + $first = substr(md5($user['loginname'] . $timestamp . randomStr(16)), 0, 15); + $third = substr(md5($user['email'] . $timestamp . randomStr(16)), -15); $activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10); // Drop all existing activation codes for this user diff --git a/lib/functions/system/function.randomStr.php b/lib/functions/system/function.randomStr.php new file mode 100644 index 00000000..285ca27b --- /dev/null +++ b/lib/functions/system/function.randomStr.php @@ -0,0 +1,44 @@ + (2016-) + * @license GPLv2 http://files.froxlor.org/misc/COPYING.txt + * @package Functions + * + */ + +/** + * Function randomStr + * + * generate a pseudo-random string of bytes + * + * @param int $length + * + * @return string + */ +function randomStr($length) +{ + if (version_compare(PHP_VERSION, '7.0.0') >= 0) { + return random_bytes($length); + } elseif (function_exists('openssl_random_pseudo_bytes')) { + return openssl_random_pseudo_bytes($length); + } else { + $pr_bits = ''; + $fp = @fopen('/dev/urandom', 'rb'); + if ($fp !== false) { + $pr_bits .= @fread($fp, $length); + @fclose($fp); + } else { + $pr_bits = substr(rand(time()).rand(time()), 0, $length); + } + return $pr_bits; + } +}