mirror/postfixadmin
0
0
Fork 0
mirror of https://github.com/postfixadmin/postfixadmin.git synced 2024-09-19 19:22:14 +02:00
Code

see https://github.com/postfixadmin/postfixadmin/issues/523 - improve randomness when creating the PFA_token field; reported by @michaellrowley via huntr.dev.

Browse Source
This commit is contained in:
David Goodwin 2021-08-04 16:56:37 +01:00
parent 99a549c2e3
commit 25ac89f6a7
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
functions.inc.php
View File

@ -108,7 +108,8 @@ function init_session($username, $is_admin = false)
$_SESSION['sessid']['roles'] = array();
$_SESSION['sessid']['roles'][] = $is_admin ? 'admin' : 'user';
$_SESSION['sessid']['username'] = $username;
$_SESSION['PFA_token'] = md5(uniqid("", true));
$_SESSION['PFA_token'] = md5(random_bytes(8) . uniqid('pfa', true));
return $status;
}

3
public/users/login.php
View File

@ -70,8 +70,7 @@ session_start();
if ($error) {
flash_error($error);
}
$_SESSION['PFA_token'] = md5(uniqid('pfa' . rand(), true));
$_SESSION['PFA_token'] = md5(random_bytes(8) . uniqid('pfa', true));
$smarty->assign('language_selector', language_selector(), false);
$smarty->assign('smarty_template', 'login');