Use random_bytes if available in postfix plugin

The [PHP `str_shuffle()`](http://php.net/manual/en/function.str-shuffle.php) documentation states:

```
This function does not generate cryptographically secure values, and should not be used for cryptographic purposes.
```

This change makes use of [`random_bytes()`](http://php.net/manual/en/function.random-bytes.php) if it's available and falls back to the old (probably ok) `str_shuffle()` implementation.
This commit is contained in:
Paul Borges 2019-02-06 15:06:09 -05:00 committed by GitHub
parent 80ad4fdbcc
commit 4890249b5a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -286,7 +286,11 @@ class ChangePasswordPostfixAdminDriver implements \RainLoop\Providers\ChangePass
private function cryptPassword($sPassword, $oPdo)
{
$sResult = '';
if (function_exists('random_bytes')) {
$sSalt = substr(base64_encode(random_bytes(32)), 0, 16);
} else {
$sSalt = substr(str_shuffle('./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'), 0, 16);
}
switch (strtolower($this->sEncrypt))
{
default: