From d97a95aa2adf6796e9d50b5390cd1e1d3d1f0856 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 7 Jul 2021 14:38:52 +0200
Subject: [PATCH] Fix CSRF token generation must be fast, can have low entropy.

---
 htdocs/main.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index e9f5b16b6a9..9e5d27c26ff 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -448,7 +448,7 @@ if (!defined('NOTOKENRENEWAL')) {
 		}
 
 		// Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken']
-		$token = dol_hash(uniqid(mt_rand(), true)); // Generates a hash of a random number
+		$token = dol_hash(uniqid(mt_rand(), false), 'md5'); // Generates a hash of a random number. We don't need a secured hash, just a changing random value.
 		$_SESSION['newtoken'] = $token;
 		dol_syslog("NEW TOKEN generated by : " . $_SERVER['PHP_SELF'], LOG_DEBUG);
 	}