From 992c2c9d4bc20db1dc8170dcc60dc4438dc55eb0 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sat, 29 Sep 2012 15:41:13 +0200
Subject: [PATCH] mt_rand() is not secure from a cryptographic point of view,
 let's use openssl_random_pseudo_bytes() here

---
 lib/setup.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/setup.php b/lib/setup.php
index c21c8be395..6d8430c103 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -79,7 +79,8 @@ class OC_Setup {
 			}
 
 			//generate a random salt that is used to salt the local user passwords
-			$salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+			$random_bytes = openssl_random_pseudo_bytes(30, $cstrong);
+			$salt = bin2hex($random_bytes);
 			OC_Config::setValue('passwordsalt', $salt);
 
 			//write the config file
-- 
GitLab