From c57a65eca46110b7e4a865dc2b007c1fd75838c3 Mon Sep 17 00:00:00 2001 From: Janusz Dobrowolski Date: Sat, 18 Mar 2017 15:56:19 +0100 Subject: [PATCH] Improved entropy for report file urls. --- admin/attachments.php | 2 +- includes/main.inc | 21 +++++++++++++++++++++ includes/ui/ui_controls.inc | 2 +- reporting/includes/excel_report.inc | 2 +- reporting/includes/pdf_report.inc | 2 +- reporting/rep102.php | 2 +- reporting/rep202.php | 2 +- reporting/rep706.php | 2 +- reporting/rep707.php | 2 +- 9 files changed, 29 insertions(+), 8 deletions(-) diff --git a/admin/attachments.php b/admin/attachments.php index f600e301..421c0406 100644 --- a/admin/attachments.php +++ b/admin/attachments.php @@ -119,7 +119,7 @@ if ($Mode == 'ADD_ITEM' || $Mode == 'UPDATE_ITEM') unlink($dir."/".$unique_name); } else - $unique_name = uniqid(''); + $unique_name = random_id(); //save the file move_uploaded_file($tmpname, $dir."/".$unique_name); diff --git a/includes/main.inc b/includes/main.inc index df31aa17..bd2463f0 100644 --- a/includes/main.inc +++ b/includes/main.inc @@ -422,3 +422,24 @@ if (!function_exists('array_fill_keys')) // since 5.2 } } +/* + This function aims to generate cryptographically strong random identifier. + Result identifier has length 4[strength/8/3] +*/ +function random_id($strength = 128) +{ + $n = ceil($strength/8); + + if (function_exists('openssl_random_pseudo_bytes')) + $bin = openssl_random_pseudo_bytes($n, $cstrong); // openssl on php 5.3 and up + else if (file_exists('/dev/urandom')) + $bin = file_get_contents('/dev/urandom', false, null, -1, $n); // linux std random device + else { + $bin = ''; + for($i=0; $i < $n; $i++) + $bin .= chr(mt_rand(0, 255)); // Mersene Twister generator + } + $id = strtr(base64_encode($bin), '+/', '-_'); // see RFC 4648 Section 5 + + return $id; +} diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc index ba62f467..e575fd15 100644 --- a/includes/ui/ui_controls.inc +++ b/includes/ui/ui_controls.inc @@ -72,7 +72,7 @@ function end_form($breaks=0) if ($form_nested-- > 0) return; - $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true)); + $_SESSION['csrf_token'] = random_id(); if ($breaks) br($breaks); hidden('_focus'); diff --git a/reporting/includes/excel_report.inc b/reporting/includes/excel_report.inc index ef387ada..c6f0d443 100644 --- a/reporting/includes/excel_report.inc +++ b/reporting/includes/excel_report.inc @@ -81,7 +81,7 @@ class FrontReport extends Spreadsheet_Excel_Writer_Workbook $rtl = ($_SESSION['language']->dir == 'rtl'); $this->code = strtolower($_SESSION['language']->encoding); $this->filename = $filename.".xls"; - $this->unique_name = uniqid('').".xls"; + $this->unique_name = random_id().".xls"; $this->path = company_path(). '/pdf_files'; $this->Spreadsheet_Excel_Writer_Workbook($this->path."/".$this->unique_name); if ($this->code != "iso-8859-1") diff --git a/reporting/includes/pdf_report.inc b/reporting/includes/pdf_report.inc index 6b9b45c9..dd0ae918 100644 --- a/reporting/includes/pdf_report.inc +++ b/reporting/includes/pdf_report.inc @@ -957,7 +957,7 @@ class FrontReport extends Cpdf } // do not use standard filenames or your sensitive company data // are world readable - $fname = $dir.'/'.uniqid('').'.pdf'; + $fname = $dir.'/'.random_id().'.pdf'; $this->Output($fname, 'F'); if ($email == 1) diff --git a/reporting/rep102.php b/reporting/rep102.php index e407c6d7..7f509f8f 100644 --- a/reporting/rep102.php +++ b/reporting/rep102.php @@ -245,7 +245,7 @@ function print_aged_customer_analysis() $pg->skin = $SysPrefs->graph_skin; $pg->built_in = false; $pg->latin_notation = ($SysPrefs->decseps[user_dec_sep()] != "."); - $filename = company_path(). "/pdf_files/". uniqid("").".png"; + $filename = company_path(). "/pdf_files/". random_id().".png"; $pg->display($filename, true); $w = $pg->width / 1.5; $h = $pg->height / 1.5; diff --git a/reporting/rep202.php b/reporting/rep202.php index d327f8b9..dc899f57 100644 --- a/reporting/rep202.php +++ b/reporting/rep202.php @@ -253,7 +253,7 @@ function print_aged_supplier_analysis() $pg->skin = $SysPrefs->graph_skin; $pg->built_in = false; $pg->latin_notation = ($SysPrefs->decseps[user_dec_sep()] != "."); - $filename = company_path(). "/pdf_files/". uniqid("").".png"; + $filename = company_path(). "/pdf_files/". random_id().".png"; $pg->display($filename, true); $w = $pg->width / 1.5; $h = $pg->height / 1.5; diff --git a/reporting/rep706.php b/reporting/rep706.php index dd79272e..30e2520b 100644 --- a/reporting/rep706.php +++ b/reporting/rep706.php @@ -312,7 +312,7 @@ function print_balance_sheet() $pg->skin = $SysPrefs->graph_skin; $pg->built_in = false; $pg->latin_notation = ($SysPrefs->decseps[user_dec_sep()] != "."); - $filename = company_path(). "/pdf_files/". uniqid("").".png"; + $filename = company_path(). "/pdf_files/". random_id().".png"; $pg->display($filename, true); $w = $pg->width / 1.5; $h = $pg->height / 1.5; diff --git a/reporting/rep707.php b/reporting/rep707.php index bd13ff9b..267636da 100644 --- a/reporting/rep707.php +++ b/reporting/rep707.php @@ -330,7 +330,7 @@ function print_profit_and_loss_statement() $pg->skin = $SysPrefs->graph_skin; $pg->built_in = false; $pg->latin_notation = ($SysPrefs->decseps[user_dec_sep()] != "."); - $filename = company_path(). "/pdf_files/". uniqid("").".png"; + $filename = company_path(). "/pdf_files/". random_id().".png"; $pg->display($filename, true); $w = $pg->width / 1.5; $h = $pg->height / 1.5; -- 2.30.2