From a9886f26c08225e0adca75c67dfca3f7c42b87d0 Mon Sep 17 00:00:00 2001
From: star7th <xing7th@gmail.com>
Date: Sat, 20 Nov 2021 20:58:35 +0800
Subject: [PATCH] =?UTF-8?q?Enhanced=20LDAP=20user=20password=20/=20?=
 =?UTF-8?q?=E5=A2=9E=E5=BC=BAldap=E7=94=A8=E6=88=B7=E5=AF=86=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Controller/AdminSettingController.class.php |  4 ++--
 .../Application/Api/Model/UserModel.class.php   |  2 +-
 server/Application/Common/Common/function.php   | 17 +++++++++++++++++
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/server/Application/Api/Controller/AdminSettingController.class.php b/server/Application/Api/Controller/AdminSettingController.class.php
index b236ac4a0..0db78c03d 100644
--- a/server/Application/Api/Controller/AdminSettingController.class.php
+++ b/server/Application/Api/Controller/AdminSettingController.class.php
@@ -100,7 +100,7 @@ public function saveLdapConfig(){
                 }
                 //如果该用户不在数据库里，则帮助其注册
                 if(!D("User")->isExist($ldap_user)){
-                    D("User")->register($ldap_user,$ldap_user.time());
+                    D("User")->register($ldap_user,$ldap_user.get_rand_str());
                 }
             }
             D("Options")->set("ldap_form" , json_encode( $ldap_form)) ;
@@ -221,7 +221,7 @@ public function checkLdapLogin(){
                     //如果该用户不在数据库里，则帮助其注册
                     $userInfo = D("User")->isExist($username) ;
                     if(!$userInfo){
-                        D("User")->register($ldap_user,$ldap_user.time());
+                        D("User")->register($ldap_user,$ldap_user.get_rand_str());
                     }
                     $rs2=ldap_bind($ldap_conn, $dn , $password);
                     if ($rs2) {
diff --git a/server/Application/Api/Model/UserModel.class.php b/server/Application/Api/Model/UserModel.class.php
index c19591b04..0c8811391 100644
--- a/server/Application/Api/Model/UserModel.class.php
+++ b/server/Application/Api/Model/UserModel.class.php
@@ -92,7 +92,7 @@ public function checkLdapLogin($username ,$password ){
                     //如果该用户不在数据库里，则帮助其注册
                     $userInfo = D("User")->isExist($username) ;
                     if(!$userInfo){
-                        D("User")->register($ldap_user,$ldap_user.time());
+                        D("User")->register($ldap_user,$ldap_user.get_rand_str());
                     }
                     $rs2=ldap_bind($ldap_conn, $dn , $password);
                     if ($rs2) {
diff --git a/server/Application/Common/Common/function.php b/server/Application/Common/Common/function.php
index 2d7c4eb2d..0fb64f3a7 100644
--- a/server/Application/Common/Common/function.php
+++ b/server/Application/Common/Common/function.php
@@ -212,4 +212,21 @@ function uncompress_string($string){
 function env($name , $default_value = false){
     return getenv($name) ? getenv($name) : $default_value ;
 
+}
+
+// 获取随机字符串
+function get_rand_str($len = 32 ){
+    // 对于php7以上版本，可利用random_bytes产生随机
+    if(version_compare(PHP_VERSION,'7.0','>')){
+        $rand = bin2hex( random_bytes( 16 ) ); 
+        return substr($rand,0,$len); 
+    }else{
+        // 对于低版本，只好尽量加大长度实现伪随机，增大暴力破解难度
+        $s1 = microtime(true).time().rand().rand().rand().microtime(true).time().rand().rand().rand();
+        $s2 = microtime(true).time().rand().rand().rand().microtime(true).time().rand().rand().rand();
+        $md5 = md5($s2.base64_encode($s1));
+        return substr($md5,0,$len);
+    }
+
+    
 }
\ No newline at end of file