Improve token generation by using openssl by default, then /dev/urandom and fallback to uniqid()

This commit is contained in:
Frédéric Guillot 2014-03-14 21:26:14 -04:00
parent 5469400c5b
commit 39aa6ad8e2

View File

@ -130,12 +130,14 @@ function get_nothing_to_read_redirections()
// Generate a token from /dev/urandom or with uniqid() if open_basedir is enabled // Generate a token from /dev/urandom or with uniqid() if open_basedir is enabled
function generate_token() function generate_token()
{ {
if (ini_get('open_basedir') === '') { if (function_exists('openssl_random_pseudo_bytes')) {
return substr(base64_encode(file_get_contents('/dev/urandom', false, null, 0, 20)), 0, 15); return bin2hex(\openssl_random_pseudo_bytes(16));
} }
else { else if (ini_get('open_basedir') === '' && strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
return substr(base64_encode(uniqid(mt_rand(), true)), 0, 20); return hash('sha256', file_get_contents('/dev/urandom', false, null, 0, 30));
} }
return hash('sha256', uniqid(mt_rand(), true));
} }
// Regenerate tokens for the API and bookmark feed // Regenerate tokens for the API and bookmark feed