Skip to content
Snippets Groups Projects
Commit bd804b74 authored by Lukas Reschke's avatar Lukas Reschke
Browse files

mt_rand() is not secure from a security point of view and predictable. Let's... 

mt_rand() is not secure from a security point of view and predictable. Let's use openssl_random_pseudo_bytes() instead.

Before: 26 bits entropy
After: 72 bits entropy
parent dc66e94e
Branches
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 3 additions and 1 deletion
lib/util.php
+ 3
1
View file @ bd804b74
...@@ -440,7 +440,9 @@ class OC_Util { ...@@ -440,7 +440,9 @@ class OC_Util {
*/ */
public static function callRegister() { public static function callRegister() {
// generate a random token. // generate a random token.
$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); $bytes = openssl_random_pseudo_bytes(10, $cstrong);
$hex = bin2hex($bytes);
$token = $hex;
// store the token together with a timestamp in the session. // store the token together with a timestamp in the session.
$_SESSION['requesttoken-'.$token]=time(); $_SESSION['requesttoken-'.$token]=time();
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment