mt_rand() is not secure from a security point of view and predictable. Let's use openssl_random_pseudo_bytes() instead.

Before: 26 bits entropy
After: 72 bits entropy

lib/util.php

@@ -440,7 +440,9 @@ class OC_Util {
 	 */
 	public static function callRegister() {
 		// generate a random token.
-		$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+		$bytes = openssl_random_pseudo_bytes(10, $cstrong);
+		$hex = bin2hex($bytes);
+		$token = $hex;
 
 		// store the token together with a timestamp in the session.
 		$_SESSION['requesttoken-'.$token]=time();