From 57e1a375cbd2db9741ff19167813344f8eff5772 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 4 Oct 2025 14:32:18 +0200
Subject: Strengthen some crypto (#8061)

For login, tokens, nonces
---
 app/Controllers/userController.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'app/Controllers/userController.php')

diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index f820ef882..a7a79b067 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -41,8 +41,7 @@ class FreshRSS_user_Controller extends FreshRSS_ActionController {
 			$userConfig->mail_login = $email;
 
 			if (FreshRSS_Context::systemConf()->force_email_validation) {
-				$salt = FreshRSS_Context::systemConf()->salt;
-				$userConfig->email_validation_token = sha1($salt . uniqid('' . mt_rand(), true));
+				$userConfig->email_validation_token = hash('sha256', FreshRSS_Context::systemConf()->salt . $email . random_bytes(32));
 				$mailer = new FreshRSS_User_Mailer();
 				$mailer->send_email_need_validation($user, $userConfig);
 			}
-- 
cgit v1.2.3