the-djmaze/snappymail
1
1
Fork 0
mirror of https://github.com/the-djmaze/snappymail.git synced 2025-01-19 05:09:22 +08:00
Code Issues Projects Releases Packages Wiki Activity

Use random_bytes if available in postfix plugin

Browse source 
The [PHP `str_shuffle()`](http://php.net/manual/en/function.str-shuffle.php) documentation states:

```
This function does not generate cryptographically secure values, and should not be used for cryptographic purposes.
```

This change makes use of [`random_bytes()`](http://php.net/manual/en/function.random-bytes.php) if it's available and falls back to the old (probably ok) `str_shuffle()` implementation.
This commit is contained in:
Paul Borges 2019-02-06 15:06:09 -05:00 committed by GitHub
parent 80ad4fdbcc
commit 4890249b5a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
plugins/postfixadmin-change-password/ChangePasswordPostfixAdminDriver.php
View file

@ -286,7 +286,11 @@ class ChangePasswordPostfixAdminDriver implements \RainLoop\Providers\ChangePass
private function cryptPassword($sPassword, $oPdo)
{
$sResult = '';
$sSalt = substr(str_shuffle('./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'), 0, 16);
if (function_exists('random_bytes')) {
$sSalt = substr(base64_encode(random_bytes(32)), 0, 16);
} else {
$sSalt = substr(str_shuffle('./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'), 0, 16);
}
switch (strtolower($this->sEncrypt))
{
default: