Improved entropy for report file urls.

diff --git a/admin/attachments.php b/admin/attachments.php
index 2f41d80c14cc15cef973f5dedb2e4b3b0b1232e9..639fbd9fdb985eae6443d8cd84ba5a4b9fb716a8 100644 (file)
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -116,7 +116,7 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
                                unlink($dir."/".$unique_name);
                }
                else
-                       $unique_name = uniqid('');
+                       $unique_name = random_id();
 
                //save the file
                move_uploaded_file($tmpname, $dir."/".$unique_name);

diff --git a/includes/main.inc b/includes/main.inc
index db1576bf50d748ad38b2b0bdd7b1b160dfcba57d..b61b41a80a8cdd3cc41630374a4844385a4c7559 100644 (file)
--- a/includes/main.inc
+++ b/includes/main.inc
@@ -352,4 +352,24 @@ function clean_file_name($filename) {
     return preg_replace('/[^a-zA-Z0-9.\-_]/', '_', $filename);
 }
 
-?>
\ No newline at end of file
+/*
+       This function aims to generate cryptographically strong random identifier.
+       Result identifier has length 4[strength/8/3] 
+*/
+function random_id($strength = 128)
+{
+       $n = ceil($strength/8);
+
+       if (function_exists('openssl_random_pseudo_bytes'))
+               $bin = openssl_random_pseudo_bytes($n, $cstrong);       // openssl on php 5.3 and up
+       else if (file_exists('/dev/urandom'))
+               $bin = file_get_contents('/dev/urandom', false, null, -1, $n);  // linux std random device
+       else {
+               $bin = '';
+               for($i=0; $i < $n; $i++)
+                       $bin .= chr(mt_rand(0, 255));   // Mersene Twister generator
+       }
+       $id = strtr(base64_encode($bin), '+/', '-_');   // see RFC 4648 Section 5
+
+       return $id;
+}

diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc
index 515cf999322cd0adabcdc3169b49e0086c692b87..0f9be33eb5d1363f188ab622a38644a3927142fc 100644 (file)
--- a/includes/ui/ui_controls.inc
+++ b/includes/ui/ui_controls.inc
@@ -66,7 +66,7 @@ function end_form($breaks=0)
 {
        global $Ajax, $hidden_fields;
 
-       $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true));
+       $_SESSION['csrf_token'] = random_id();
        if ($breaks)
                br($breaks);
        hidden('_focus');

diff --git a/reporting/includes/excel_report.inc b/reporting/includes/excel_report.inc
index 33ac54a529448ee627444c4679e9dd357a41b567..74f11e85c08b44e056ff5c3e901abeb208d06695 100644 (file)
--- a/reporting/includes/excel_report.inc
+++ b/reporting/includes/excel_report.inc
@@ -80,7 +80,7 @@ class FrontReport extends Spreadsheet_Excel_Writer_Workbook
                $rtl = ($_SESSION['language']->dir == 'rtl');
                $this->code = strtolower($_SESSION['language']->encoding);
                $this->filename = $filename.".xls";
-               $this->unique_name = uniqid('').".xls";
+               $this->unique_name = random_id().".xls";
                $this->path = company_path(). '/pdf_files';
                $this->Spreadsheet_Excel_Writer_Workbook($this->path."/".$this->unique_name);
                //$this->setCountry(48);

diff --git a/reporting/includes/pdf_report.inc b/reporting/includes/pdf_report.inc
index 55c9f9634e377c371a8934133698bf6566be5557..781a9e9f2828370edcbfd3cd80c7a4cd015acd18 100644 (file)
--- a/reporting/includes/pdf_report.inc
+++ b/reporting/includes/pdf_report.inc
@@ -969,8 +969,8 @@ class FrontReport extends Cpdf
                        // are world readable
                        if ($email == 1)
                                $fname = $dir.'/'.$this->filename;
-                       else    
-                               $fname = $dir.'/'.uniqid('').'.pdf';
+                       else
+                               $fname = $dir.'/'.random_id().'.pdf';
                        $this->Output($fname, 'F');
 
                        if ($email == 1)

diff --git a/reporting/rep102.php b/reporting/rep102.php
index 0034d786654176b6add8c467cce7fffb7cf761ca..754d929a6393897056337416bac5cf927facbc2e 100644 (file)
--- a/reporting/rep102.php
+++ b/reporting/rep102.php
@@ -248,7 +248,7 @@ function print_aged_customer_analysis()
                $pg->skin      = $graph_skin;
                $pg->built_in  = false;
                $pg->latin_notation = ($decseps[$_SESSION["wa_current_user"]->prefs->dec_sep()] != ".");
-               $filename = company_path(). "/pdf_files/". uniqid("").".png";
+               $filename = company_path(). "/pdf_files/". random_id().".png";
                $pg->display($filename, true);
                $w = $pg->width / 1.5;
                $h = $pg->height / 1.5;

diff --git a/reporting/rep202.php b/reporting/rep202.php
index c3b1e87a41ec7c9f0323cb30ea437b845238fe94..de6ade5eb14a6985fe0fd29c0e84f942a716f6a1 100644 (file)
--- a/reporting/rep202.php
+++ b/reporting/rep202.php
@@ -256,7 +256,7 @@ function print_aged_supplier_analysis()
                $pg->skin      = $graph_skin;
                $pg->built_in  = false;
                $pg->latin_notation = ($decseps[$_SESSION["wa_current_user"]->prefs->dec_sep()] != ".");
-               $filename = company_path(). "/pdf_files/". uniqid("").".png";
+               $filename = company_path(). "/pdf_files/". random_id().".png";
                $pg->display($filename, true);
                $w = $pg->width / 1.5;
                $h = $pg->height / 1.5;

diff --git a/reporting/rep706.php b/reporting/rep706.php
index ebb9cd8328416852d555f88b0dac053dc731adda..cbc831486950e3295297fd0b003b76e8d4793996 100644 (file)
--- a/reporting/rep706.php
+++ b/reporting/rep706.php
@@ -313,7 +313,7 @@ function print_balance_sheet()
                $pg->skin      = $graph_skin;
                $pg->built_in  = false;
                $pg->latin_notation = ($decseps[$_SESSION["wa_current_user"]->prefs->dec_sep()] != ".");
-               $filename = company_path(). "/pdf_files/". uniqid("").".png";
+               $filename = company_path(). "/pdf_files/". random_id().".png";
                $pg->display($filename, true);
                $w = $pg->width / 1.5;
                $h = $pg->height / 1.5;

diff --git a/reporting/rep707.php b/reporting/rep707.php
index 64dea035bcb8ea83522bbd47fb88e158a5d916c6..e05c4fe8338b88ecc29aca6d1e3b9eb9df846dbc 100644 (file)
--- a/reporting/rep707.php
+++ b/reporting/rep707.php
@@ -331,7 +331,7 @@ function print_profit_and_loss_statement()
                $pg->skin      = $graph_skin;
                $pg->built_in  = false;
                $pg->latin_notation = ($decseps[$_SESSION["wa_current_user"]->prefs->dec_sep()] != ".");
-               $filename = company_path(). "/pdf_files/". uniqid("").".png";
+               $filename = company_path(). "/pdf_files/". random_id().".png";
                $pg->display($filename, true);
                $w = $pg->width / 1.5;
                $h = $pg->height / 1.5;