Browse Source

Merge pull request #486 from jordandukart/7.x-random-bytes

Use drupal_random_bytes just to be careful.
pull/485/merge
Nigel Banks 11 years ago
parent
commit
e96b927c84
  1. 7
      includes/authtokens.inc

7
includes/authtokens.inc

@ -36,12 +36,7 @@ define('ISLANDORA_AUTHTOKEN_TOKEN_TIMEOUT', 300);
function islandora_get_object_token($pid, $dsid, $uses = 1) { function islandora_get_object_token($pid, $dsid, $uses = 1) {
global $user; global $user;
$time = time(); $time = time();
// The function mt_rand is not considered cryptographically secure $token = bin2hex(drupal_random_bytes(32));
// and openssl_rando_pseudo_bytes() is only available in PHP > 5.3.
// We might be safe in this case because mt_rand should never be using
// the same seed, but this is still more secure.
$token = hash("sha256", mt_rand() . $time);
$id = db_insert("islandora_authtokens")->fields( $id = db_insert("islandora_authtokens")->fields(
array( array(
'token' => $token, 'token' => $token,

Loading…
Cancel
Save