From 1e1c7fc9c45f6852d36204de5e01180dc9539194 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Jacquet?=
 <francoisjacquet@users.noreply.github.com>
Date: Wed, 27 Apr 2022 21:31:21 +0200
Subject: [PATCH] Use big random number for parent password generation

---
 CHANGES.md                       | 1 +
 modules/Custom/CreateParents.php | 7 +++----
 modules/Custom/NotifyParents.php | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index cff43ec6a..55a3b0382 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,7 @@ Changes in 8.9.5
 ----------------
 - Fix stored XSS security issue: do not allow unsanitized XML & HTML in FileUpload.fnc.php, thanks to @nhienit2010
 - Fix stored XSS security issue: escape HTML attribute in StudentAssignments.fnc.php, thanks to @dungtuanha
+- Use big random number for parent password generation in NotifyParents.php & CreateParents.php, thanks to @intrapus
 
 Changes in 8.9.4
 ----------------
diff --git a/modules/Custom/CreateParents.php b/modules/Custom/CreateParents.php
index 507b5056d..209baf32a 100644
--- a/modules/Custom/CreateParents.php
+++ b/modules/Custom/CreateParents.php
@@ -188,11 +188,10 @@
 
 					$user = $user[1];
 
-					//FJ change parent password generation
-					//$password = $passwords[rand(0,count( $passwords )-1)];
-					$password = $username . rand( 100, 999 );
+					// Use big random number for parent password generation.
+					$password = $username . rand( 1, 99999999999 );
 
-					// FJ Moodle integrator / password.
+					// Moodle integrator / password.
 					$password = ucfirst( $password ) . '*';
 
 					if ( ! $test_email )
diff --git a/modules/Custom/NotifyParents.php b/modules/Custom/NotifyParents.php
index e5a005c9d..b19b8a2a1 100644
--- a/modules/Custom/NotifyParents.php
+++ b/modules/Custom/NotifyParents.php
@@ -56,9 +56,9 @@
 		{
 			$staff_id = $staff['STAFF_ID'];
 
-			//FJ change parent password generation
-			$password = $staff['USERNAME'] . rand( 1000, 9999 );
-			//FJ add password encryption
+			// Use big random number for parent password generation.
+			$password = $staff['USERNAME'] . rand( 1, 9999999999 );
+
 			$password_encrypted = encrypt_password( $password );
 			DBQuery( "UPDATE STAFF SET PASSWORD='" . $password_encrypted . "' WHERE STAFF_ID='" . $staff_id . "'" );