From 0a8c52de14b59dbc66e770b20d5d908999ba1641 Mon Sep 17 00:00:00 2001 From: Florian Schmitt Date: Thu, 31 Oct 2024 12:21:17 +0100 Subject: [PATCH] feat(security): harden security with random_bytes --- includes/services/UserManager.php | 4 ++-- tools/login/actions/LostPasswordAction.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/includes/services/UserManager.php b/includes/services/UserManager.php index 95a384b5c..4db091042 100644 --- a/includes/services/UserManager.php +++ b/includes/services/UserManager.php @@ -196,7 +196,7 @@ protected function generateUserLink($user) { // Generate the password recovery key $passwordHasher = $this->passwordHasherFactory->getPasswordHasher($user); - $plainKey = $user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s'); + $plainKey = $user['name'] . '_' . $user['email'] . random_bytes(16) . date('Y-m-d H:i:s'); $hashedKey = $passwordHasher->hash($plainKey); $tripleStore = $this->wiki->services->get(TripleStore::class); // Erase the previous triples in the trible table @@ -254,7 +254,7 @@ public function getUserLink(): string public function getLastUserLink(User $user): string { $passwordHasher = $this->passwordHasherFactory->getPasswordHasher($user); - $plainKey = $user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s'); + $plainKey = $user['name'] . '_' . $user['email'] . random_bytes(16) . date('Y-m-d H:i:s'); $hashedKey = $passwordHasher->hash($plainKey); $tripleStore = $this->wiki->services->get(TripleStore::class); $key = $tripleStore->getOne($user['name'], self::KEY_VOCABULARY, '', ''); diff --git a/tools/login/actions/LostPasswordAction.php b/tools/login/actions/LostPasswordAction.php index 0b67fdc07..6a519bc7e 100644 --- a/tools/login/actions/LostPasswordAction.php +++ b/tools/login/actions/LostPasswordAction.php @@ -209,7 +209,7 @@ private function sendPasswordRecoveryEmail(User $user) { // Generate the password recovery key $passwordHasher = $this->passwordHasherFactory->getPasswordHasher($user); - $plainKey = $user['name'] . '_' . $user['email'] . random_int(0, 10000) . date('Y-m-d H:i:s'); + $plainKey = $user['name'] . '_' . $user['email'] . random_bytes(16) . date('Y-m-d H:i:s'); $hashedKey = $passwordHasher->hash($plainKey); // Erase the previous triples in the trible table $this->tripleStore->delete($user['name'], self::KEY_VOCABULARY, null, '', '') ;