From bd804b74c46ed6779bf82a506711b48644a197f4 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sat, 29 Sep 2012 15:03:09 +0200
Subject: [PATCH] mt_rand() is not secure from a security point of view and
 predictable. Let's use openssl_random_pseudo_bytes() instead.

Before: 26 bits entropy
After: 72 bits entropy
---
 lib/util.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/util.php b/lib/util.php
index d1227f8379..15e6f2824e 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -440,7 +440,9 @@ class OC_Util {
 	 */
 	public static function callRegister() {
 		// generate a random token.
-		$token=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+		$bytes = openssl_random_pseudo_bytes(10, $cstrong);
+		$hex = bin2hex($bytes);
+		$token = $hex;
 
 		// store the token together with a timestamp in the session.
 		$_SESSION['requesttoken-'.$token]=time();