From 2f250799813e7e4faa65cde9e137b420a6ece1e7 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 7 Jul 2021 14:38:52 +0200
Subject: [PATCH] Fix CSRF token generation must be fast, can have low entropy.

---
 htdocs/main.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 2301ca75161..df61e752f5c 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -420,7 +420,7 @@ if (!defined('NOTOKENRENEWAL')) {
 		if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
 
 		// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
-		$token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number
+		$token = dol_hash(uniqid(mt_rand(), false), 'md5'); // Generates a hash of a random number. We don't need a secured hash, just a changing random value.
 		$_SESSION['newtoken'] = $token;
 		dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
 	}