From 6d472b1592f217a5cd5d1e2515bb476a9ed7fc16 Mon Sep 17 00:00:00 2001
From: Ralf Becker <RalfBecker@outdoor-training.de>
Date: Thu, 17 Nov 2016 11:08:54 +0100
Subject: [PATCH] use openssl_random_pseudo_bytes, if available, to generate
 etemplate_exec_id, as it is used for CSRF protection too

---
 api/src/Etemplate/Request.php         | 18 ++++++++++++++++++
 api/src/Etemplate/Request/Cache.php   | 12 ------------
 api/src/Etemplate/Request/Files.php   |  2 +-
 api/src/Etemplate/Request/Session.php | 13 -------------
 4 files changed, 19 insertions(+), 26 deletions(-)

diff --git a/api/src/Etemplate/Request.php b/api/src/Etemplate/Request.php
index 8205376bce..3d0e5a74d9 100644
--- a/api/src/Etemplate/Request.php
+++ b/api/src/Etemplate/Request.php
@@ -350,6 +350,24 @@ class Request
 		return isset($this->data['to_process'][$form_name]);
 	}
 
+	/**
+	 * creates a new unique request-id
+	 *
+	 * @return string
+	 */
+	static function request_id()
+	{
+		// As we replace spaces with + for those account ids which contain spaces, therefore we need to do the same for getting request id too.
+		$userID = str_replace(' ', '+', rawurldecode($GLOBALS['egw_info']['user']['account_lid']));
+
+		// generate random token (using oppenssl if available otherwise mt_rand based Auth::randomstring)
+		$token = function_exists('openssl_random_pseudo_bytes') ?
+			base64_encode(openssl_random_pseudo_bytes(32)) :
+			Auth::randomstring(44);
+
+		return $GLOBALS['egw_info']['flags']['currentapp'].'_'.$userID.'_'.$token;
+	}
+
 	/**
 	 * magic function to set all request-vars, used eg. as $request->method = 'app.class.method';
 	 *
diff --git a/api/src/Etemplate/Request/Cache.php b/api/src/Etemplate/Request/Cache.php
index de6394cd56..fc258b574c 100644
--- a/api/src/Etemplate/Request/Cache.php
+++ b/api/src/Etemplate/Request/Cache.php
@@ -115,18 +115,6 @@ class Cache extends Etemplate\Request
 		return $request;
 	}
 
-	/**
-	 * creates a new unique request-id
-	 *
-	 * @return string
-	 */
-	static function request_id()
-	{
-		// As we replace spaces with + for those account ids which contain spaces, therefore we need to do the same for getting request id too.
-		$userID = str_replace(' ', '+', rawurldecode($GLOBALS['egw_info']['user']['account_lid']));
-		return uniqid($GLOBALS['egw_info']['flags']['currentapp'].'_'.$userID.'_',true);
-	}
-
 	/**
 	 * saves content,readonlys,template-keys, ... via eGW's appsession function
 	 *
diff --git a/api/src/Etemplate/Request/Files.php b/api/src/Etemplate/Request/Files.php
index 950754f41e..704e242147 100644
--- a/api/src/Etemplate/Request/Files.php
+++ b/api/src/Etemplate/Request/Files.php
@@ -129,7 +129,7 @@ class Files extends Etemplate\Request
 	{
 		do
 		{
-			$id = uniqid('etemplate_'.$GLOBALS['egw_info']['flags']['currentapp'].'_',true);
+			$id = parent::request_id();
 		}
 		while (file_exists(self::$directory.'/'.$id));
 
diff --git a/api/src/Etemplate/Request/Session.php b/api/src/Etemplate/Request/Session.php
index adbb592298..14e0f11358 100644
--- a/api/src/Etemplate/Request/Session.php
+++ b/api/src/Etemplate/Request/Session.php
@@ -104,19 +104,6 @@ class Session extends Etemplate\Request
 		return $request;
 	}
 
-	/**
-	 * creates a new request-id via microtime()
-	 *
-	 * @return string
-	 */
-	static function request_id()
-	{
-		$time = (int) (100 * microtime(true));	// gives precision of 1/100 sec
-		$id = $GLOBALS['egw_info']['flags']['currentapp'] .':'. $time;
-
-		return $id;
-	}
-
 	/**
 	 * saves content,readonlys,template-keys, ... via eGW's appsession function
 	 *