From 24ce5d5833c07cf06921e2499c454d3e344d203b Mon Sep 17 00:00:00 2001 From: Bert Van de Poel Date: Sat, 24 Apr 2021 03:33:50 +0200 Subject: [PATCH] Replace salt function with a more modern, cryptographically secure pseudo-random method Set minimum PHP version to 7.0.0 for random_bytes --- INSTALL.md | 2 +- lib/config_default.php | 2 +- lib/functions.php | 12 +++--------- 3 files changed, 5 insertions(+), 11 deletions(-) diff --git a/INSTALL.md b/INSTALL.md index d9ca60c..243111c 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -5,7 +5,7 @@ For install instructions in non-English languages, see the wiki: phpLDAPadmin requires the following: a. A web server (Apache, IIS, etc). - b. PHP 5.5.0 or newer (with LDAP support) + b. PHP 7.0.0 or newer (with LDAP support) * To install diff --git a/lib/config_default.php b/lib/config_default.php index 4cc10b1..9c18be4 100644 --- a/lib/config_default.php +++ b/lib/config_default.php @@ -8,7 +8,7 @@ */ /** The minimum version of PHP required to run phpLDAPadmin. */ -define('REQUIRED_PHP_VERSION','5.5.0'); +define('REQUIRED_PHP_VERSION','7.0.0'); /** * The config class contains all our configuration settings for a session. diff --git a/lib/functions.php b/lib/functions.php index 829fc74..2328ea7 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -1828,15 +1828,9 @@ function random_salt($length) { if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS')) debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs); - $possible = '0123456789'. - 'abcdefghijklmnopqrstuvwxyz'. - 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'. - './'; - $str = ''; - mt_srand((double)microtime() * 1000000); - - while (strlen($str) < $length) - $str .= substr($possible,(rand()%strlen($possible)),1); + $str = bin2hex(random_bytes(ceil($length/2))); + if ($length % 2 == 1) + return substr($str, 0, -1); return $str; }