From dd7b8e4555d3ad091f802f7d72ab38d38d632ea8 Mon Sep 17 00:00:00 2001
From: Robin Appelman <icewind@owncloud.com>
Date: Fri, 29 Aug 2014 10:50:39 +0200
Subject: [PATCH] Remove insecure fallback random number generation

---
 lib/private/util.php | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/lib/private/util.php b/lib/private/util.php
index c79f374771..ad078e8a44 100755
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -1208,6 +1208,7 @@ class OC_Util {
 	 *
 	 * @param int $length of the random string
 	 * @return string
+	 * @throws Exception when no secure RNG source is available
 	 * Please also update secureRNGAvailable if you change something here
 	 */
 	public static function generateRandomBytes($length = 30) {
@@ -1228,17 +1229,8 @@ class OC_Util {
 			}
 		}
 
-		// Fallback to mt_rand()
-		$characters = '0123456789';
-		$characters .= 'abcdefghijklmnopqrstuvwxyz';
-		$charactersLength = strlen($characters) - 1;
-		$pseudoByte = "";
-
-		// Select some random characters
-		for ($i = 0; $i < $length; $i++) {
-			$pseudoByte .= $characters[mt_rand(0, $charactersLength)];
-		}
-		return $pseudoByte;
+		// No random numbers are better then bad random numbers
+		throw new \Exception('No secure random number generator available, please install the php-openssl extension');
 	}
 
 	/**
-- 
GitLab