From f363e226fd48e95053db1b11d4e0e198e3f0374c Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 2 Nov 2022 09:00:01 +0100 Subject: [PATCH] SeedDMS_Core_DMS::createPasswordRequest() creates a cryptographically secure hash --- SeedDMS_Core/Core/inc.ClassDMS.php | 10 +++++++++- SeedDMS_Core/package.xml | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/SeedDMS_Core/Core/inc.ClassDMS.php b/SeedDMS_Core/Core/inc.ClassDMS.php index bfda37984..e234625fe 100644 --- a/SeedDMS_Core/Core/inc.ClassDMS.php +++ b/SeedDMS_Core/Core/inc.ClassDMS.php @@ -2541,7 +2541,15 @@ class SeedDMS_Core_DMS { * @return string|boolean hash value of false in case of an error */ function createPasswordRequest($user) { /* {{{ */ - $hash = md5(uniqid(time())); + $lenght = 32; + if (function_exists("random_bytes")) { + $bytes = random_bytes(ceil($lenght / 2)); + } elseif (function_exists("openssl_random_pseudo_bytes")) { + $bytes = openssl_random_pseudo_bytes(ceil($lenght / 2)); + } else { + return false; + } + $hash = bin2hex($bytes); $queryStr = "INSERT INTO `tblUserPasswordRequest` (`userID`, `hash`, `date`) VALUES (" . $user->getId() . ", " . $this->db->qstr($hash) .", ".$this->db->getCurrentDatetime().")"; $resArr = $this->db->getResult($queryStr); if (is_bool($resArr) && !$resArr) return false; diff --git a/SeedDMS_Core/package.xml b/SeedDMS_Core/package.xml index 28e97ae34..e384b9ad2 100644 --- a/SeedDMS_Core/package.xml +++ b/SeedDMS_Core/package.xml @@ -26,6 +26,7 @@ - fix SeedDMS_Core_User::getDocumentContents() - fix SeedDMS_Core_File::fileExtension() +- SeedDMS_Core_DMS::createPasswordRequest() creates a cryptographically secure hash