From 992c2c9d4bc20db1dc8170dcc60dc4438dc55eb0 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sat, 29 Sep 2012 15:41:13 +0200 Subject: [PATCH] mt_rand() is not secure from a cryptographic point of view, let's use openssl_random_pseudo_bytes() here --- lib/setup.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/setup.php b/lib/setup.php index c21c8be395..6d8430c103 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -79,7 +79,8 @@ class OC_Setup { } //generate a random salt that is used to salt the local user passwords - $salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); + $random_bytes = openssl_random_pseudo_bytes(30, $cstrong); + $salt = bin2hex($random_bytes); OC_Config::setValue('passwordsalt', $salt); //write the config file