the-djmaze/snappymail
1
1
Fork 0
mirror of https://github.com/the-djmaze/snappymail.git synced 2024-09-20 15:45:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1944 from Startup-Stack/secure-app-salt

Browse source 
Use cryptographically secure random number generator for APP_SALT whe…
This commit is contained in:
RainLoop Team 2020-03-16 00:02:34 +03:00 committed by GitHub
parent d94cf4e6b0 a54d40f2a2
commit 538312ef3e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 23 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
rainloop/v/0.0.0/include.php
View file

@ -124,15 +124,30 @@
unset($sCheckName, $sCheckFilePath, $sCheckFolder, $sTest);
}
if (false === $sSalt)
{
// random salt
$sSalt = '<'.'?php //'
.md5(microtime(true).rand(1000, 5000))
.md5(microtime(true).rand(5000, 9999))
.md5(microtime(true).rand(1000, 5000));
if (false === $sSalt) {
if (function_exists('random_bytes'))
{ // secure random salt
try
{
$sSalt = bin2hex(random_bytes(48));
}
catch (\Exception $oException)
{
$sSalt = false;
}
}
if ((false === $sSalt) && (function_exists('openssl_random_pseudo_bytes')))
{ // not-quite as secure random salt
$sSalt = bin2hex(openssl_random_pseudo_bytes(48));
}
if (false === $sSalt)
{ // pseudo-random salt
$sSalt = md5(microtime(true).rand(1000, 5000))
.md5(microtime(true).rand(5000, 9999))
.md5(microtime(true).rand(1000, 5000));
}
@file_put_contents(APP_DATA_FOLDER_PATH.'SALT.php', $sSalt);
@file_put_contents(APP_DATA_FOLDER_PATH.'SALT.php', '<'.'?php //'.$sSalt);
}
define('APP_SALT', md5($sSalt.APP_PRIVATE_DATA_NAME.$sSalt));