Replaced SHA1 with random_bytes.

panique · Jul 24, 2021 · ec15c33 · ec15c33
1 parent 40a4380
commit ec15c33
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/application/model/PasswordResetModel.php b/application/model/PasswordResetModel.php
@@ -37,7 +37,7 @@ public static function requestPasswordReset($user_name_or_email, $captcha)
         // generate integer-timestamp (to see when exactly the user (or an attacker) requested the password reset mail)
         // generate random hash for email password reset verification (40 char string)
         $temporary_timestamp = time();
-        $user_password_reset_hash = sha1(uniqid(mt_rand(), true));
+        $user_password_reset_hash = random_bytes(40);
 
         // set token (= a random hash string and a timestamp) into database ...
         $token_set = self::setPasswordResetDatabaseToken($result->user_name, $user_password_reset_hash, $temporary_timestamp);

diff --git a/application/model/RegistrationModel.php b/application/model/RegistrationModel.php
@@ -51,7 +51,7 @@ public static function registerNewUser()
         if (!$return) return false;
 
         // generate random hash for email verification (40 char string)
-        $user_activation_hash = sha1(uniqid(mt_rand(), true));
+        $user_activation_hash = random_bytes(40);
 
         // write user data to database
         if (!self::writeNewUserToDatabase($user_name, $user_password_hash, $user_email, time(), $user_activation_hash)) {