use openssl_random_pseudo_bytes, if available, to generate etemplate_exec_id, as it is used for CSRF protection too

2024-11-14 20:14:11 +01:00 · 2016-11-17 11:08:54 +01:00 · 2016-11-17 11:08:54 +01:00 · a135f7615d
commit a135f7615d
parent 519ce307e0
4 changed files with 19 additions and 26 deletions
--- a/api/src/Etemplate/Request.php
+++ b/api/src/Etemplate/Request.php
@ -350,6 +350,24 @@ class Request
 		return isset($this->data['to_process'][$form_name]);
 	}

+	/**
+	 * creates a new unique request-id
+	 *
+	 * @return string
+	 */
+	static function request_id()
+	{
+		// As we replace spaces with + for those account ids which contain spaces, therefore we need to do the same for getting request id too.
+		$userID = str_replace(' ', '+', rawurldecode($GLOBALS['egw_info']['user']['account_lid']));
+
+		// generate random token (using oppenssl if available otherwise mt_rand based Auth::randomstring)
+		$token = function_exists('openssl_random_pseudo_bytes') ?
+			base64_encode(openssl_random_pseudo_bytes(32)) :
+			Auth::randomstring(44);
+
+		return $GLOBALS['egw_info']['flags']['currentapp'].'_'.$userID.'_'.$token;
+	}
+
 	/**
 	 * magic function to set all request-vars, used eg. as $request->method = 'app.class.method';
 	 *
--- a/api/src/Etemplate/Request/Cache.php
+++ b/api/src/Etemplate/Request/Cache.php
@ -115,18 +115,6 @@ class Cache extends Etemplate\Request
 		return $request;
 	}

-	/**
-	 * creates a new unique request-id
-	 *
-	 * @return string
-	 */
-	static function request_id()
-	{
-		// As we replace spaces with + for those account ids which contain spaces, therefore we need to do the same for getting request id too.
-		$userID = str_replace(' ', '+', rawurldecode($GLOBALS['egw_info']['user']['account_lid']));
-		return uniqid($GLOBALS['egw_info']['flags']['currentapp'].'_'.$userID.'_',true);
-	}
-
 	/**
 	 * saves content,readonlys,template-keys, ... via eGW's appsession function
 	 *
--- a/api/src/Etemplate/Request/Files.php
+++ b/api/src/Etemplate/Request/Files.php
@ -129,7 +129,7 @@ class Files extends Etemplate\Request
 	{
 		do
 		{
-			$id = uniqid('etemplate_'.$GLOBALS['egw_info']['flags']['currentapp'].'_',true);
+			$id = parent::request_id();
 		}
 		while (file_exists(self::$directory.'/'.$id));

--- a/api/src/Etemplate/Request/Session.php
+++ b/api/src/Etemplate/Request/Session.php
@ -104,19 +104,6 @@ class Session extends Etemplate\Request
 		return $request;
 	}

-	/**
-	 * creates a new request-id via microtime()
-	 *
-	 * @return string
-	 */
-	static function request_id()
-	{
-		$time = (int) (100 * microtime(true));	// gives precision of 1/100 sec
-		$id = $GLOBALS['egw_info']['flags']['currentapp'] .':'. $time;
-
-		return $id;
-	}
-
 	/**
 	 * saves content,readonlys,template-keys, ... via eGW's appsession function
 	 *