open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

mt_rand() is not secure from a security point of view and predictable. Let's use openssl_random_pseudo_bytes() instead.

Browse Source 
Before: 26 bits entropy
After: 72 bits entropy
remotes/origin/stable45
Lukas Reschke 13 years ago
parent dc66e94ee3
commit bd804b74c4
1 changed files with 3 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      lib/util.php

4
lib/util.php
Unescape View File

@ -440,7 +440,9 @@ class OC_Util {
*/
public static function callRegister() {
// generate a random token.
$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
$bytes = openssl_random_pseudo_bytes(10, $cstrong);
$hex = bin2hex($bytes);
$token = $hex;
// store the token together with a timestamp in the session.
$_SESSION['requesttoken-'.$token]=time();

Write Preview
Loading…
Cancel
Save