Use big random number for parent password generation

francoisjacquet · Apr 27, 2022 · 1e1c7fc · 1e1c7fc
1 parent ff762f1
commit 1e1c7fc
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -5,6 +5,7 @@ Changes in 8.9.5
 ----------------
 - Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
 - Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
+- Use big random number for parent password generation in NotifyParents.php & CreateParents.php, thanks to @intrapus
 
 Changes in 8.9.4
 ----------------

diff --git a/modules/Custom/CreateParents.php b/modules/Custom/CreateParents.php
@@ -188,11 +188,10 @@
 
 					$user = $user[1];
 
-					//FJ change parent password generation
-					//$password = $passwords[rand(0,count( $passwords )-1)];
-					$password = $username . rand( 100, 999 );
+					// Use big random number for parent password generation.
+					$password = $username . rand( 1, 99999999999 );
 
-					// FJ Moodle integrator / password.
+					// Moodle integrator / password.
 					$password = ucfirst( $password ) . '*';
 
 					if ( ! $test_email )

diff --git a/modules/Custom/NotifyParents.php b/modules/Custom/NotifyParents.php
@@ -56,9 +56,9 @@
 		{
 			$staff_id = $staff['STAFF_ID'];
 
-			//FJ change parent password generation
-			$password = $staff['USERNAME'] . rand( 1000, 9999 );
-			//FJ add password encryption
+			// Use big random number for parent password generation.
+			$password = $staff['USERNAME'] . rand( 1, 9999999999 );
+
 			$password_encrypted = encrypt_password( $password );
 			DBQuery( "UPDATE STAFF SET PASSWORD='" . $password_encrypted . "' WHERE STAFF_ID='" . $staff_id . "'" );