[Pkg-owncloud-commits] [owncloud] 45/73: Use openssl_random_pseudo_bytes if available
David Prévot
taffit at alioth.debian.org
Fri Nov 8 23:09:07 UTC 2013
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to annotated tag v4.0.10
in repository owncloud.
commit 375eae1a5c1cd97501e6f2b770ee2b22668a91e1
Author: Lukas Reschke <lukas at statuscode.ch>
Date: Sat Oct 6 14:19:58 2012 +0200
Use openssl_random_pseudo_bytes if available
This is a backport of ef57e92 /cc @DeepDiver1975
---
core/lostpassword/index.php | 2 +-
lib/setup.php | 2 +-
lib/util.php | 30 ++++++++++++++++++++++++++----
3 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php
index b32b56f..58ac8f4 100644
--- a/core/lostpassword/index.php
+++ b/core/lostpassword/index.php
@@ -13,7 +13,7 @@ require_once('../../lib/base.php');
// Someone lost their password:
if (isset($_POST['user'])) {
if (OC_User::userExists($_POST['user'])) {
- $token = sha1($_POST['user'].md5(uniqid(rand(), true)));
+ $token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
diff --git a/lib/setup.php b/lib/setup.php
index 59c3aef..9e7129d 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -74,7 +74,7 @@ class OC_Setup {
}
//generate a random salt that is used to salt the local user passwords
- $salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+ $salt = OC_Util::generate_random_bytes(30);
OC_Config::setValue('passwordsalt', $salt);
//write the config file
diff --git a/lib/util.php b/lib/util.php
index 0139d52..22ecf80 100644
--- a/lib/util.php
+++ b/lib/util.php
@@ -346,7 +346,7 @@ class OC_Util {
$maxtime=(60*60); // 1 hour
// generate a random token.
- $token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+ $token = self::generate_random_bytes(20);
// store the token together with a timestamp in the session.
$_SESSION['requesttoken-'.$token]=time();
@@ -459,8 +459,30 @@ class OC_Util {
}
-
-
+ /*
+ * @brief Generates random bytes with "openssl_random_pseudo_bytes" with a fallback for systems without openssl
+ * Inspired by gorgo on php.net
+ * @param Int with the length of the random
+ * @return String with the random bytes
+ */
+ public static function generate_random_bytes($length = 30) {
+ if(function_exists('openssl_random_pseudo_bytes')) {
+ $pseudo_byte = bin2hex(openssl_random_pseudo_bytes($length, $strong));
+ if($strong == TRUE) {
+ return substr($pseudo_byte, 0, $length); // Truncate it to match the length
+ }
+ }
-}
+ // fallback to mt_rand()
+ $characters = '0123456789';
+ $characters .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
+ $charactersLength = strlen($characters)-1;
+ $pseudo_byte = "";
+ // Select some random characters
+ for ($i = 0; $i < $length; $i++) {
+ $pseudo_byte .= $characters[mt_rand(0, $charactersLength)];
+ }
+ return $pseudo_byte;
+ }
+}
\ No newline at end of file
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git
More information about the Pkg-owncloud-commits
mailing list