diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2012-09-29 15:33:10 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2012-09-29 15:33:10 +0200 |
| commit | 36f1c9b0835bd7118dc7d8aba4b4c56c6d922b09 (patch) | |
| tree | 5bb8ad746565d05f227cb9f5fcaea8be00eff8e6 /core | |
| parent | 578aa4e42546a81e572ecda2061e238d34a4f421 (diff) | |
| download | nextcloud-server-36f1c9b0835bd7118dc7d8aba4b4c56c6d922b09.tar.gz nextcloud-server-36f1c9b0835bd7118dc7d8aba4b4c56c6d922b09.zip | |
rand() + uniqid() are not from cryptographic quality
Diffstat (limited to 'core')
| -rw-r--r-- | core/lostpassword/index.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php index 9eda0915b08..7c6d51d99b8 100644 --- a/core/lostpassword/index.php +++ b/core/lostpassword/index.php @@ -13,7 +13,7 @@ require_once '../../lib/base.php'; // Someone lost their password: if (isset($_POST['user'])) { if (OC_User::userExists($_POST['user'])) { - $token = sha1($_POST['user'].md5(uniqid(rand(), true))); + $token = hash("sha256", $_POST['user'].openssl_random_pseudo_bytes(10, $cstrong)); OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token); $email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', ''); if (!empty($email)) { |