Added bin2hex to hash patches.

bin2hex should convert the random-generated bytes to a hex-formatted string.
panique · Jul 29, 2021 · 9cb3f56 · 9cb3f56
1 parent ec15c33
commit 9cb3f56
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/application/model/PasswordResetModel.php b/application/model/PasswordResetModel.php
@@ -35,9 +35,9 @@ public static function requestPasswordReset($user_name_or_email, $captcha)
         }
 
         // generate integer-timestamp (to see when exactly the user (or an attacker) requested the password reset mail)
-        // generate random hash for email password reset verification (40 char string)
+        // generate random hash for email password reset verification (40 bytes)
         $temporary_timestamp = time();
-        $user_password_reset_hash = random_bytes(40);
+        $user_password_reset_hash = bin2hex(random_bytes(40));
 
         // set token (= a random hash string and a timestamp) into database ...
         $token_set = self::setPasswordResetDatabaseToken($result->user_name, $user_password_reset_hash, $temporary_timestamp);

diff --git a/application/model/RegistrationModel.php b/application/model/RegistrationModel.php
@@ -50,8 +50,8 @@ public static function registerNewUser()
         // if Username or Email were false, return false
         if (!$return) return false;
 
-        // generate random hash for email verification (40 char string)
-        $user_activation_hash = random_bytes(40);
+        // generate random hash for email verification (40 bytes)
+        $user_activation_hash = bin2hex(random_bytes(40));
 
         // write user data to database
         if (!self::writeNewUserToDatabase($user_name, $user_password_hash, $user_email, time(), $user_activation_hash)) {