maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

avoid rand() if possible as it is not generating cryptographically secure values, thx to Hanno for putting some effort into this

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2016-01-28 08:27:15 +01:00
parent ebedb97fae
commit da4ec3e1b5
2 changed files with 46 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
index.php
View File

@@ -345,8 +345,8 @@ if ($action == 'forgotpwd') {
if ($user !== false) { if ($user !== false) {
// build a activation code // build a activation code
$timestamp = time(); $timestamp = time();
$first = substr(md5($user['loginname'] . $timestamp . rand(0, $timestamp)), 0, 15); $first = substr(md5($user['loginname'] . $timestamp . randomStr(16)), 0, 15);
$third = substr(md5($user['email'] . $timestamp . rand(0, $timestamp)), -15); $third = substr(md5($user['email'] . $timestamp . randomStr(16)), -15);
$activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10); $activationcode = $first . $timestamp . $third . substr(md5($third . $timestamp), 0, 10);
// Drop all existing activation codes for this user // Drop all existing activation codes for this user

44
lib/functions/system/function.randomStr.php Normal file
View File

@@ -0,0 +1,44 @@
<?php
/**
* This file is part of the Froxlor project.
* Copyright (c) 2010 the Froxlor Team (see authors).
*
* For the full copyright and license information, please view the COPYING
* file that was distributed with this source code. You can also view the
* COPYING file online at http://files.froxlor.org/misc/COPYING.txt
*
* @copyright (c) the authors
* @author Froxlor team <team@froxlor.org> (2016-)
* @license GPLv2 http://files.froxlor.org/misc/COPYING.txt
* @package Functions
*
*/
/**
* Function randomStr
*
* generate a pseudo-random string of bytes
*
* @param int $length
*
* @return string
*/
function randomStr($length)
{
if (version_compare(PHP_VERSION, '7.0.0') >= 0) {
return random_bytes($length);
} elseif (function_exists('openssl_random_pseudo_bytes')) {
return openssl_random_pseudo_bytes($length);
} else {
$pr_bits = '';
$fp = @fopen('/dev/urandom', 'rb');
if ($fp !== false) {
$pr_bits .= @fread($fp, $length);
@fclose($fp);
} else {
$pr_bits = substr(rand(time()).rand(time()), 0, $length);
}
return $pr_bits;
}
}