Merge pull request #1944 from Startup-Stack/secure-app-salt

Use cryptographically secure random number generator for APP_SALT whe…
This commit is contained in:
RainLoop Team 2020-03-16 00:02:34 +03:00 committed by GitHub
commit 538312ef3e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -124,15 +124,30 @@
unset($sCheckName, $sCheckFilePath, $sCheckFolder, $sTest); unset($sCheckName, $sCheckFilePath, $sCheckFolder, $sTest);
} }
if (false === $sSalt) if (false === $sSalt) {
if (function_exists('random_bytes'))
{ // secure random salt
try
{ {
// random salt $sSalt = bin2hex(random_bytes(48));
$sSalt = '<'.'?php //' }
.md5(microtime(true).rand(1000, 5000)) catch (\Exception $oException)
{
$sSalt = false;
}
}
if ((false === $sSalt) && (function_exists('openssl_random_pseudo_bytes')))
{ // not-quite as secure random salt
$sSalt = bin2hex(openssl_random_pseudo_bytes(48));
}
if (false === $sSalt)
{ // pseudo-random salt
$sSalt = md5(microtime(true).rand(1000, 5000))
.md5(microtime(true).rand(5000, 9999)) .md5(microtime(true).rand(5000, 9999))
.md5(microtime(true).rand(1000, 5000)); .md5(microtime(true).rand(1000, 5000));
}
@file_put_contents(APP_DATA_FOLDER_PATH.'SALT.php', $sSalt); @file_put_contents(APP_DATA_FOLDER_PATH.'SALT.php', '<'.'?php //'.$sSalt);
} }
define('APP_SALT', md5($sSalt.APP_PRIVATE_DATA_NAME.$sSalt)); define('APP_SALT', md5($sSalt.APP_PRIVATE_DATA_NAME.$sSalt));