lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CSRF token generation must be fast, can have low entropy.

Browse Source
This commit is contained in:
Laurent Destailleur 2021-07-07 14:38:52 +02:00
parent 4dd29af555
commit 2f25079981
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/main.inc.php
View File

@ -420,7 +420,7 @@ if (!defined('NOTOKENRENEWAL')) {
if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
$token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number
$token = dol_hash(uniqid(mt_rand(), false), 'md5'); // Generates a hash of a random number. We don't need a secured hash, just a changing random value.
$_SESSION['newtoken'] = $token;
dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
}