From: Joas Schilling <coding@schilljs.com>
Date: Fri, 12 Aug 2022 08:03:19 +0000 (+0200)
Subject: Create more secure passwords by default
X-Git-Tag: v23.0.9rc1~7^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Fpull%2F33515%2Fhead;p=nextcloud-server.git

Create more secure passwords by default

Signed-off-by: Joas Schilling <coding@schilljs.com>
---

diff --git a/lib/private/Setup/MySQL.php b/lib/private/Setup/MySQL.php
index 491419dfaf6..2c16cac3d26 100644
--- a/lib/private/Setup/MySQL.php
+++ b/lib/private/Setup/MySQL.php
@@ -142,6 +142,16 @@ class MySQL extends AbstractDatabase {
 		$rootUser = $this->dbUser;
 		$rootPassword = $this->dbPassword;
 
+		//create a random password so we don't need to store the admin password in the config file
+		$saveSymbols = str_replace(['\"', '\\', '\'', '`'], '', ISecureRandom::CHAR_SYMBOLS);
+		$password = $this->random->generate(22, ISecureRandom::CHAR_ALPHANUMERIC . $saveSymbols)
+			. $this->random->generate(2, ISecureRandom::CHAR_UPPER)
+			. $this->random->generate(2, ISecureRandom::CHAR_LOWER)
+			. $this->random->generate(2, ISecureRandom::CHAR_DIGITS)
+			. $this->random->generate(2, $saveSymbols)
+		;
+		$this->dbPassword = str_shuffle($password);
+
 		try {
 			//user already specified in config
 			$oldUser = $this->config->getValue('dbuser', false);
@@ -164,10 +174,6 @@ class MySQL extends AbstractDatabase {
 					if (count($data) === 0) {
 						//use the admin login data for the new database user
 						$this->dbUser = $adminUser;
-
-						//create a random password so we don't need to store the admin password in the config file
-						$this->dbPassword = $this->random->generate(30, ISecureRandom::CHAR_ALPHANUMERIC);
-
 						$this->createDBUser($connection);
 
 						break;