From a7f03d101ccbb85b231ff592d31e01dc78b93206 Mon Sep 17 00:00:00 2001
From: Peter Linss <peter@startupstack.tech>
Date: Tue, 19 Nov 2019 16:48:40 -0800
Subject: [PATCH] Use cryptographically secure random number generator for
 APP_SALT when available

---
 rainloop/v/0.0.0/include.php | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/rainloop/v/0.0.0/include.php b/rainloop/v/0.0.0/include.php
index 5b51731dd..26600d423 100644
--- a/rainloop/v/0.0.0/include.php
+++ b/rainloop/v/0.0.0/include.php
@@ -126,13 +126,22 @@
 
 			if (false === $sSalt)
 			{
-				// random salt
-				$sSalt = '<'.'?php //'
-					.md5(microtime(true).rand(1000, 5000))
-					.md5(microtime(true).rand(5000, 9999))
-					.md5(microtime(true).rand(1000, 5000));
+				if (function_exists('random_bytes'))
+				{	// secure random salt
+					$sSalt = bin2hex(random_bytes(48));
+				}
+				elseif (function_exists('openssl_random_pseudo_bytes'))
+				{	// not-quite as secure random salt
+					$sSalt = bin2hex(openssl_random_pseudo_bytes(48));
+				}
+				else
+				{	// pseudo-random salt
+					$sSalt = md5(microtime(true).rand(1000, 5000))
+						.md5(microtime(true).rand(5000, 9999))
+						.md5(microtime(true).rand(1000, 5000));
+				}
 
-				@file_put_contents(APP_DATA_FOLDER_PATH.'SALT.php', $sSalt);
+				@file_put_contents(APP_DATA_FOLDER_PATH.'SALT.php', '<'.'?php //'.$sSalt);
 			}
 
 			define('APP_SALT', md5($sSalt.APP_PRIVATE_DATA_NAME.$sSalt));