aboutsummaryrefslogtreecommitdiff
path: root/app/Controllers
diff options
context:
space:
mode:
authorGravatar Alexandre Alapetite <alexandre@alapetite.fr> 2025-10-04 14:32:18 +0200
committerGravatar GitHub <noreply@github.com> 2025-10-04 14:32:18 +0200
commit57e1a375cbd2db9741ff19167813344f8eff5772 (patch)
tree741fc3820a205ab3ea84a03f6b72615dd8238f99 /app/Controllers
parentbe49726ebb700aca030004d367c029082cfc6427 (diff)
Strengthen some crypto (#8061)
For login, tokens, nonces
Diffstat (limited to 'app/Controllers')
-rw-r--r--app/Controllers/javascriptController.php5
-rw-r--r--app/Controllers/userController.php3
2 files changed, 3 insertions, 5 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 1370c00c7..eda468dff 100644
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -74,12 +74,11 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
$user_conf = get_user_configuration($user);
if ($user_conf !== null) {
try {
- $salt = FreshRSS_Context::systemConf()->salt;
$s = $user_conf->passwordHash;
if (strlen($s) >= 60) {
//CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
$this->view->salt1 = substr($s, 0, 29);
- $this->view->nonce = sha1($salt . uniqid('' . mt_rand(), true));
+ $this->view->nonce = hash('sha256', FreshRSS_Context::systemConf()->salt . $user . random_bytes(32));
Minz_Session::_param('nonce', $this->view->nonce);
return; //Success
}
@@ -95,7 +94,7 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
for ($i = 22; $i > 0; $i--) {
$this->view->salt1 .= $alphabet[random_int(0, 63)];
}
- $this->view->nonce = sha1('' . mt_rand());
+ $this->view->nonce = hash('sha256', 'failure' . rand());
Minz_Session::_param('nonce', $this->view->nonce);
}
}
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index f820ef882..a7a79b067 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -41,8 +41,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
$userConfig->mail_login = $email;
if (FreshRSS_Context::systemConf()->force_email_validation) {
- $salt = FreshRSS_Context::systemConf()->salt;
- $userConfig->email_validation_token = sha1($salt . uniqid('' . mt_rand(), true));
+ $userConfig->email_validation_token = hash('sha256', FreshRSS_Context::systemConf()->salt . $email . random_bytes(32));
$mailer = new FreshRSS_User_Mailer();
$mailer->send_email_need_validation($user, $userConfig);
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 18:13:37 +0000