From 36f1c9b0835bd7118dc7d8aba4b4c56c6d922b09 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sat, 29 Sep 2012 15:33:10 +0200
Subject: [PATCH] rand() + uniqid() are not from cryptographic quality

---
 core/lostpassword/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php
index 9eda0915b0..7c6d51d99b 100644
--- a/core/lostpassword/index.php
+++ b/core/lostpassword/index.php
@@ -13,7 +13,7 @@ require_once '../../lib/base.php';
 // Someone lost their password:
 if (isset($_POST['user'])) {
 	if (OC_User::userExists($_POST['user'])) {
-		$token = sha1($_POST['user'].md5(uniqid(rand(), true)));
+		$token = hash("sha256", $_POST['user'].openssl_random_pseudo_bytes(10, $cstrong));
 		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
 		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
 		if (!empty($email)) {
-- 
GitLab