projects / fa-stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e3f484a)
Improved entropy for report file urls.
authorJanusz Dobrowolski <janusz@frontaccounting.eu>
Sat, 18 Mar 2017 14:56:19 +0000 (15:56 +0100)
committerJanusz Dobrowolski <janusz@frontaccounting.eu>
Sat, 18 Mar 2017 14:58:02 +0000 (15:58 +0100)
admin/attachments.php patch | blob | history
includes/main.inc patch | blob | history
includes/ui/ui_controls.inc patch | blob | history
reporting/includes/excel_report.inc patch | blob | history
reporting/includes/pdf_report.inc patch | blob | history
reporting/rep102.php patch | blob | history
reporting/rep202.php patch | blob | history
reporting/rep706.php patch | blob | history
reporting/rep707.php patch | blob | history

diff --git a/admin/attachments.php b/admin/attachments.php
index f600e3017fd5c39bde3556814785a8b226e39a92..421c040662f5fa309a25f51a4009149c72c58ab1 100644 (file)
--- a/admin/attachments.php
+++ b/admin/attachments.php
@@ -119,7 +119,7 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM')
                                unlink($dir."/".$unique_name);
                }
                else
-                       $unique_name = uniqid('');
+                       $unique_name = random_id();
 
                //save the file
                move_uploaded_file($tmpname, $dir."/".$unique_name);
diff --git a/includes/main.inc b/includes/main.inc
index df31aa17a52a4e84d4ea6a0e968fdbc7ebe56d30..bd2463f0cc549e0cbf24e4dd9941cb89c9a312d8 100644 (file)
--- a/includes/main.inc
+++ b/includes/main.inc
@@ -422,3 +422,24 @@ if (!function_exists('array_fill_keys')) // since 5.2
        }
 }
 
+/*
+       This function aims to generate cryptographically strong random identifier.
+       Result identifier has length 4[strength/8/3] 
+*/
+function random_id($strength = 128)
+{
+       $n = ceil($strength/8);
+
+       if (function_exists('openssl_random_pseudo_bytes'))
+               $bin = openssl_random_pseudo_bytes($n, $cstrong);       // openssl on php 5.3 and up
+       else if (file_exists('/dev/urandom'))
+               $bin = file_get_contents('/dev/urandom', false, null, -1, $n);  // linux std random device
+       else {
+               $bin = '';
+               for($i=0; $i < $n; $i++)
+                       $bin .= chr(mt_rand(0, 255));   // Mersene Twister generator
+       }
+       $id = strtr(base64_encode($bin), '+/', '-_');   // see RFC 4648 Section 5
+
+       return $id;
+}
diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc
index ba62f467519a4a6bbc85ff9125803ca07ef1c24d..e575fd15d8a071382cafe07c12811b221084e1ec 100644 (file)
--- a/includes/ui/ui_controls.inc
+++ b/includes/ui/ui_controls.inc
@@ -72,7 +72,7 @@ function end_form($breaks=0)
 
        if ($form_nested-- > 0) return;
 
-       $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true));
+       $_SESSION['csrf_token'] = random_id();
        if ($breaks)
                br($breaks);
        hidden('_focus');
diff --git a/reporting/includes/excel_report.inc b/reporting/includes/excel_report.inc
index ef387adaf1702f7d7f6728db7c33577281292a75..c6f0d4436039b97519644a57e94f08c915baae3d 100644 (file)
--- a/reporting/includes/excel_report.inc
+++ b/reporting/includes/excel_report.inc
@@ -81,7 +81,7 @@ class FrontReport extends Spreadsheet_Excel_Writer_Workbook
                $rtl = ($_SESSION['language']->dir == 'rtl');
                $this->code = strtolower($_SESSION['language']->encoding);
                $this->filename = $filename.".xls";
-               $this->unique_name = uniqid('').".xls";
+               $this->unique_name = random_id().".xls";
                $this->path = company_path(). '/pdf_files';
                $this->Spreadsheet_Excel_Writer_Workbook($this->path."/".$this->unique_name);
                if ($this->code != "iso-8859-1")
diff --git a/reporting/includes/pdf_report.inc b/reporting/includes/pdf_report.inc
index 6b9b45c9f637c53b089a3a016eeefae8d93c9984..dd0ae91826016175edd6b3d048f93bc2f1c5bbcc 100644 (file)
--- a/reporting/includes/pdf_report.inc
+++ b/reporting/includes/pdf_report.inc
@@ -957,7 +957,7 @@ class FrontReport extends Cpdf
                        }
                        // do not use standard filenames or your sensitive company data 
                        // are world readable
-                       $fname = $dir.'/'.uniqid('').'.pdf';
+                       $fname = $dir.'/'.random_id().'.pdf';
                        $this->Output($fname, 'F');
 
                        if ($email == 1)
diff --git a/reporting/rep102.php b/reporting/rep102.php
index e407c6d7b8f77a2323d55d83a5e2a42b2b936584..7f509f8f6fad993f72d5febbb9f2e1733102d13b 100644 (file)
--- a/reporting/rep102.php
+++ b/reporting/rep102.php
@@ -245,7 +245,7 @@ function print_aged_customer_analysis()
                $pg->skin      = $SysPrefs->graph_skin;
                $pg->built_in  = false;
                $pg->latin_notation = ($SysPrefs->decseps[user_dec_sep()] != ".");
-               $filename = company_path(). "/pdf_files/". uniqid("").".png";
+               $filename = company_path(). "/pdf_files/". random_id().".png";
                $pg->display($filename, true);
                $w = $pg->width / 1.5;
                $h = $pg->height / 1.5;
diff --git a/reporting/rep202.php b/reporting/rep202.php
index d327f8b9771ae77cb7bab72d9c88bfedf6cc2cab..dc899f577af2c7e9910ed1f11831a4580f61aa2f 100644 (file)
--- a/reporting/rep202.php
+++ b/reporting/rep202.php
@@ -253,7 +253,7 @@ function print_aged_supplier_analysis()
                $pg->skin      = $SysPrefs->graph_skin;
                $pg->built_in  = false;
                $pg->latin_notation = ($SysPrefs->decseps[user_dec_sep()] != ".");
-               $filename = company_path(). "/pdf_files/". uniqid("").".png";
+               $filename = company_path(). "/pdf_files/". random_id().".png";
                $pg->display($filename, true);
                $w = $pg->width / 1.5;
                $h = $pg->height / 1.5;
diff --git a/reporting/rep706.php b/reporting/rep706.php
index dd79272e0aa16372cfae9a80234fae5c04a1780a..30e2520bfded355d83efc04caaa9395d3a1cea64 100644 (file)
--- a/reporting/rep706.php
+++ b/reporting/rep706.php
@@ -312,7 +312,7 @@ function print_balance_sheet()
                $pg->skin      = $SysPrefs->graph_skin;
                $pg->built_in  = false;
                $pg->latin_notation = ($SysPrefs->decseps[user_dec_sep()] != ".");
-               $filename = company_path(). "/pdf_files/". uniqid("").".png";
+               $filename = company_path(). "/pdf_files/". random_id().".png";
                $pg->display($filename, true);
                $w = $pg->width / 1.5;
                $h = $pg->height / 1.5;
diff --git a/reporting/rep707.php b/reporting/rep707.php
index bd13ff9b218e4da2092999b2e7dad996b65cf397..267636dac66b11b573b9214f12c6a6d787e0184e 100644 (file)
--- a/reporting/rep707.php
+++ b/reporting/rep707.php
@@ -330,7 +330,7 @@ function print_profit_and_loss_statement()
                $pg->skin      = $SysPrefs->graph_skin;
                $pg->built_in  = false;
                $pg->latin_notation = ($SysPrefs->decseps[user_dec_sep()] != ".");
-               $filename = company_path(). "/pdf_files/". uniqid("").".png";
+               $filename = company_path(). "/pdf_files/". random_id().".png";
                $pg->display($filename, true);
                $w = $pg->width / 1.5;
                $h = $pg->height / 1.5;
FrontAccounting stable branch