diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2012-09-29 15:03:09 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2012-09-29 15:03:09 +0200 |
| commit | bd804b74c46ed6779bf82a506711b48644a197f4 (patch) | |
| tree | 3015f9d16e459364bad3cc1ca036c0ebabc3c227 /lib | |
| parent | dc66e94ee3c14e73f0a4f5f79722e0855add71e1 (diff) | |
| download | nextcloud-server-bd804b74c46ed6779bf82a506711b48644a197f4.tar.gz nextcloud-server-bd804b74c46ed6779bf82a506711b48644a197f4.zip | |
mt_rand() is not secure from a security point of view and predictable. Let's use openssl_random_pseudo_bytes() instead.
Before: 26 bits entropy
After: 72 bits entropy
Diffstat (limited to 'lib')
| -rwxr-xr-x | lib/util.php | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/util.php b/lib/util.php index d1227f8379c..15e6f2824e5 100755 --- a/lib/util.php +++ b/lib/util.php @@ -440,7 +440,9 @@ class OC_Util { */ public static function callRegister() { // generate a random token. - $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); + $bytes = openssl_random_pseudo_bytes(10, $cstrong); + $hex = bin2hex($bytes); + $token = $hex; // store the token together with a timestamp in the session. $_SESSION['requesttoken-'.$token]=time(); |