lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix regression in getRandomPassword

Browse Source
This commit is contained in:
Laurent Destailleur 2017-11-05 03:03:17 +01:00
parent a066bbcd89
commit 91950ccbc7
2 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
htdocs/core/lib/security2.lib.php
View File

@ -454,18 +454,21 @@ function getRandomPassword($generic=false)
$uppercase = "ASDFGHJKLZXCVBNMQWERTYUIOP";
$numbers = "1234567890";
$randomCode = "";
$nbofchar = round($length/3);
$nbofcharlast = ($length - 2*$nbofchar);
var_dump($nbofchar.'-'.$nbofcharlast);
if (function_exists('random_int')) // Cryptographic random
{
$max = strlen($lowercase) - 1;
for ($x = 0; $x < abs($length/3); $x++) {
for ($x = 0; $x < $nbofchar; $x++) {
$randomCode .= $lowercase{random_int(0, $max)};
}
$max = strlen($uppercase) - 1;
for ($x = 0; $x < abs($length/3); $x++) {
for ($x = 0; $x < $nbofchar; $x++) {
$randomCode .= $uppercase{random_int(0, $max)};
}
$max = strlen($numbers) - 1;
for ($x = 0; $x < abs($length/3); $x++) {
for ($x = 0; $x < $nbofcharlast; $x++) {
$randomCode .= $numbers{random_int(0, $max)};
}
@ -474,15 +477,15 @@ function getRandomPassword($generic=false)
else // Old platform, non cryptographic random
{
$max = strlen($lowercase) - 1;
for ($x = 0; $x < abs($length/3); $x++) {
for ($x = 0; $x < $nbofchar; $x++) {
$randomCode .= $lowercase{mt_rand(0, $max)};
}
$max = strlen($uppercase) - 1;
for ($x = 0; $x < abs($length/3); $x++) {
for ($x = 0; $x < $nbofchar; $x++) {
$randomCode .= $uppercase{mt_rand(0, $max)};
}
$max = strlen($numbers) - 1;
for ($x = 0; $x < abs($length/3); $x++) {
for ($x = 0; $x < $nbofcharlast; $x++) {
$randomCode .= $numbers{mt_rand(0, $max)};
}

16
test/phpunit/SecurityTest.php
View File

@ -148,7 +148,7 @@ class SecurityTest extends PHPUnit_Framework_TestCase
$_GET["param3"]='"a/b#e(pr)qq-rr\cc'; // Same than param2 + "
$_GET["param4"]='../dir';
$_GET["param5"]="a_1-b";
// Test int
$result=GETPOST('id','int'); // Must return nothing
print __METHOD__." result=".$result."\n";
@ -179,19 +179,19 @@ class SecurityTest extends PHPUnit_Framework_TestCase
$result=GETPOST("param1",'aZ09'); // Must return '' as there is a forbidden char ../
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,$_GET["param1"]);
$result=GETPOST("param2",'aZ09'); // Must return '' as there is a forbidden char ../
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,'');
$result=GETPOST("param3",'aZ09'); // Must return '' as there is a forbidden char ../
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,'');
$result=GETPOST("param4",'aZ09'); // Must return '' as there is a forbidden char ../
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,'');
$result=GETPOST("param5",'aZ09');
print __METHOD__." result=".$result."\n";
$this->assertEquals($result,$_GET["param5"]);
@ -255,17 +255,17 @@ class SecurityTest extends PHPUnit_Framework_TestCase
$genpass1=getRandomPassword(true); // Should be a string return by dol_hash (if no option set, will be md5)
print __METHOD__." genpass1=".$genpass1."\n";
$this->assertEquals(strlen($genpass1),32);
$this->assertEquals(strlen($genpass1), 32);
$conf->global->USER_PASSWORD_GENERATED='None';
$genpass2=getRandomPassword(false); // Should be an empty string
print __METHOD__." genpass2=".$genpass2."\n";
$this->assertEquals($genpass2,'');
$this->assertEquals($genpass2, '');
$conf->global->USER_PASSWORD_GENERATED='Standard';
$genpass3=getRandomPassword(false);
print __METHOD__." genpass3=".$genpass3."\n";
$this->assertEquals(strlen($genpass3),8);
$this->assertEquals(strlen($genpass3), 8);
return 0;
}