upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-08 16:26:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 12

mt_rand() is not secure from a security point of view and predictable. Let's use openssl_random_pseudo_bytes() instead.

Browse source 
Before: 26 bits entropy
After: 72 bits entropy
This commit is contained in:
Lukas Reschke 2012-09-29 15:03:09 +02:00
parent dc66e94ee3
commit bd804b74c4
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/util.php
View file

@ -440,7 +440,9 @@ class OC_Util {
*/
public static function callRegister() {
// generate a random token.
$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
$bytes = openssl_random_pseudo_bytes(10, $cstrong);
$hex = bin2hex($bytes);
$token = $hex;
// store the token together with a timestamp in the session.
$_SESSION['requesttoken-'.$token]=time();