From 06a878fac8f2aa889ee481a22bc9f68fef1f7c8b Mon Sep 17 00:00:00 2001 From: Janusz Dobrowolski Date: Sat, 18 Mar 2017 15:52:46 +0100 Subject: [PATCH] Improved entropy for report file urls. --- admin/attachments.php | 2 +- includes/main.inc | 22 +++++++++++++++++++++- includes/ui/ui_controls.inc | 2 +- reporting/includes/excel_report.inc | 2 +- reporting/includes/pdf_report.inc | 4 ++-- reporting/rep102.php | 2 +- reporting/rep202.php | 2 +- reporting/rep706.php | 2 +- reporting/rep707.php | 2 +- 9 files changed, 30 insertions(+), 10 deletions(-) diff --git a/admin/attachments.php b/admin/attachments.php index 2f41d80c..639fbd9f 100644 --- a/admin/attachments.php +++ b/admin/attachments.php @@ -116,7 +116,7 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM') unlink($dir."/".$unique_name); } else - $unique_name = uniqid(''); + $unique_name = random_id(); //save the file move_uploaded_file($tmpname, $dir."/".$unique_name); diff --git a/includes/main.inc b/includes/main.inc index db1576bf..b61b41a8 100644 --- a/includes/main.inc +++ b/includes/main.inc @@ -352,4 +352,24 @@ function clean_file_name($filename) { return preg_replace('/[^a-zA-Z0-9.\-_]/', '_', $filename); } -?> \ No newline at end of file +/* + This function aims to generate cryptographically strong random identifier. + Result identifier has length 4[strength/8/3] +*/ +function random_id($strength = 128) +{ + $n = ceil($strength/8); + + if (function_exists('openssl_random_pseudo_bytes')) + $bin = openssl_random_pseudo_bytes($n, $cstrong); // openssl on php 5.3 and up + else if (file_exists('/dev/urandom')) + $bin = file_get_contents('/dev/urandom', false, null, -1, $n); // linux std random device + else { + $bin = ''; + for($i=0; $i < $n; $i++) + $bin .= chr(mt_rand(0, 255)); // Mersene Twister generator + } + $id = strtr(base64_encode($bin), '+/', '-_'); // see RFC 4648 Section 5 + + return $id; +} diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc index 515cf999..0f9be33e 100644 --- a/includes/ui/ui_controls.inc +++ b/includes/ui/ui_controls.inc @@ -66,7 +66,7 @@ function end_form($breaks=0) { global $Ajax, $hidden_fields; - $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true)); + $_SESSION['csrf_token'] = random_id(); if ($breaks) br($breaks); hidden('_focus'); diff --git a/reporting/includes/excel_report.inc b/reporting/includes/excel_report.inc index 33ac54a5..74f11e85 100644 --- a/reporting/includes/excel_report.inc +++ b/reporting/includes/excel_report.inc @@ -80,7 +80,7 @@ class FrontReport extends Spreadsheet_Excel_Writer_Workbook $rtl = ($_SESSION['language']->dir == 'rtl'); $this->code = strtolower($_SESSION['language']->encoding); $this->filename = $filename.".xls"; - $this->unique_name = uniqid('').".xls"; + $this->unique_name = random_id().".xls"; $this->path = company_path(). '/pdf_files'; $this->Spreadsheet_Excel_Writer_Workbook($this->path."/".$this->unique_name); //$this->setCountry(48); diff --git a/reporting/includes/pdf_report.inc b/reporting/includes/pdf_report.inc index 55c9f963..781a9e9f 100644 --- a/reporting/includes/pdf_report.inc +++ b/reporting/includes/pdf_report.inc @@ -969,8 +969,8 @@ class FrontReport extends Cpdf // are world readable if ($email == 1) $fname = $dir.'/'.$this->filename; - else - $fname = $dir.'/'.uniqid('').'.pdf'; + else + $fname = $dir.'/'.random_id().'.pdf'; $this->Output($fname, 'F'); if ($email == 1) diff --git a/reporting/rep102.php b/reporting/rep102.php index 0034d786..754d929a 100644 --- a/reporting/rep102.php +++ b/reporting/rep102.php @@ -248,7 +248,7 @@ function print_aged_customer_analysis() $pg->skin = $graph_skin; $pg->built_in = false; $pg->latin_notation = ($decseps[$_SESSION["wa_current_user"]->prefs->dec_sep()] != "."); - $filename = company_path(). "/pdf_files/". uniqid("").".png"; + $filename = company_path(). "/pdf_files/". random_id().".png"; $pg->display($filename, true); $w = $pg->width / 1.5; $h = $pg->height / 1.5; diff --git a/reporting/rep202.php b/reporting/rep202.php index c3b1e87a..de6ade5e 100644 --- a/reporting/rep202.php +++ b/reporting/rep202.php @@ -256,7 +256,7 @@ function print_aged_supplier_analysis() $pg->skin = $graph_skin; $pg->built_in = false; $pg->latin_notation = ($decseps[$_SESSION["wa_current_user"]->prefs->dec_sep()] != "."); - $filename = company_path(). "/pdf_files/". uniqid("").".png"; + $filename = company_path(). "/pdf_files/". random_id().".png"; $pg->display($filename, true); $w = $pg->width / 1.5; $h = $pg->height / 1.5; diff --git a/reporting/rep706.php b/reporting/rep706.php index ebb9cd83..cbc83148 100644 --- a/reporting/rep706.php +++ b/reporting/rep706.php @@ -313,7 +313,7 @@ function print_balance_sheet() $pg->skin = $graph_skin; $pg->built_in = false; $pg->latin_notation = ($decseps[$_SESSION["wa_current_user"]->prefs->dec_sep()] != "."); - $filename = company_path(). "/pdf_files/". uniqid("").".png"; + $filename = company_path(). "/pdf_files/". random_id().".png"; $pg->display($filename, true); $w = $pg->width / 1.5; $h = $pg->height / 1.5; diff --git a/reporting/rep707.php b/reporting/rep707.php index 64dea035..e05c4fe8 100644 --- a/reporting/rep707.php +++ b/reporting/rep707.php @@ -331,7 +331,7 @@ function print_profit_and_loss_statement() $pg->skin = $graph_skin; $pg->built_in = false; $pg->latin_notation = ($decseps[$_SESSION["wa_current_user"]->prefs->dec_sep()] != "."); - $filename = company_path(). "/pdf_files/". uniqid("").".png"; + $filename = company_path(). "/pdf_files/". random_id().".png"; $pg->display($filename, true); $w = $pg->width / 1.5; $h = $pg->height / 1.5; -- 2.30.2