sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use openssl_random_pseudo_bytes if available 

This is a backport of ef57e92 /cc @DeepDiver1975
remotes/origin/stable4
Lukas Reschke 2012-10-06 14:19:58 +07:00
parent ca216b5296
commit 375eae1a5c
3 changed files with 28 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/lostpassword/index.php
Unescape Escape View File

@ -13,7 +13,7 @@ require_once('../../lib/base.php');
// Someone lost their password:
if (isset($_POST['user'])) {
if (OC_User::userExists($_POST['user'])) {
$token = sha1($_POST['user'].md5(uniqid(rand(), true)));
$token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {

2
lib/setup.php
Unescape Escape View File

@ -74,7 +74,7 @@ class OC_Setup {
}
//generate a random salt that is used to salt the local user passwords
$salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
$salt = OC_Util::generate_random_bytes(30);
OC_Config::setValue('passwordsalt', $salt);
//write the config file

30
lib/util.php
Unescape Escape View File

@ -346,7 +346,7 @@ class OC_Util {
$maxtime=(60*60); // 1 hour
// generate a random token.
$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
$token = self::generate_random_bytes(20);
// store the token together with a timestamp in the session.
$_SESSION['requesttoken-'.$token]=time();
@ -459,8 +459,30 @@ class OC_Util {
}
/*
* @brief Generates random bytes with "openssl_random_pseudo_bytes" with a fallback for systems without openssl
* Inspired by gorgo on php.net
* @param Int with the length of the random
* @return String with the random bytes
*/
public static function generate_random_bytes($length = 30) {
if(function_exists('openssl_random_pseudo_bytes')) {
$pseudo_byte = bin2hex(openssl_random_pseudo_bytes($length, $strong));
if($strong == TRUE) {
return substr($pseudo_byte, 0, $length); // Truncate it to match the length
}
}
}
// fallback to mt_rand()
$characters = '0123456789';
$characters .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
$charactersLength = strlen($characters)-1;
$pseudo_byte = "";
// Select some random characters
for ($i = 0; $i < $length; $i++) {
$pseudo_byte .= $characters[mt_rand(0, $charactersLength)];
}
return $pseudo_byte;
}
}