diff options
| -rw-r--r-- | core/lostpassword/index.php | 2 | ||||
| -rw-r--r-- | lib/setup.php | 3 | ||||
| -rwxr-xr-x | lib/util.php | 32 |
3 files changed, 30 insertions, 7 deletions
diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php index 7c6d51d99b8..4cd8b9079fd 100644 --- a/core/lostpassword/index.php +++ b/core/lostpassword/index.php @@ -13,7 +13,7 @@ require_once '../../lib/base.php'; // Someone lost their password: if (isset($_POST['user'])) { if (OC_User::userExists($_POST['user'])) { - $token = hash("sha256", $_POST['user'].openssl_random_pseudo_bytes(10, $cstrong)); + $token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10)); OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token); $email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', ''); if (!empty($email)) { diff --git a/lib/setup.php b/lib/setup.php index 6d8430c1036..16b9ec68df6 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -79,8 +79,7 @@ class OC_Setup { } //generate a random salt that is used to salt the local user passwords - $random_bytes = openssl_random_pseudo_bytes(30, $cstrong); - $salt = bin2hex($random_bytes); + $salt = OC_Util::generate_random_bytes(30); OC_Config::setValue('passwordsalt', $salt); //write the config file diff --git a/lib/util.php b/lib/util.php index 29ab2c34e96..310ca6afec9 100755 --- a/lib/util.php +++ b/lib/util.php @@ -437,9 +437,7 @@ class OC_Util { */ public static function callRegister() { // generate a random token. - $bytes = openssl_random_pseudo_bytes(10, $cstrong); - $hex = bin2hex($bytes); - $token = $hex; + $token = self::generate_random_bytes(20); // store the token together with a timestamp in the session. $_SESSION['requesttoken-'.$token]=time(); @@ -550,4 +548,30 @@ class OC_Util { } } -} + /* + * @brief Generates random bytes with "openssl_random_pseudo_bytes" with a fallback for systems without openssl + * Inspired by gorgo on php.net + * @param Int with the length of the random + * @return String with the random bytes + */ + public static function generate_random_bytes($length = 30) { + if(function_exists('openssl_random_pseudo_bytes')) { + $pseudo_byte = bin2hex(openssl_random_pseudo_bytes($length, $strong)); + if($strong == TRUE) { + return substr($pseudo_byte, 0, $length); // Truncate it to match the length + } + } + + // fallback to mt_rand() + $characters = '0123456789'; + $characters .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + $charactersLength = strlen($characters)-1; + $pseudo_byte = ""; + + // Select some random characters + for ($i = 0; $i < $length; $i++) { + $pseudo_byte .= $characters[mt_rand(0, $charactersLength)]; + } + return $pseudo_byte; + } +}
\ No newline at end of file |