use openssl_random_pseudo_bytes, if available, to generate etemplate_exec_id, as it is used for CSRF protection too

This commit is contained in:
Ralf Becker 2016-11-17 11:08:54 +01:00
parent d04f204d14
commit 6d472b1592
4 changed files with 19 additions and 26 deletions

View File

@ -350,6 +350,24 @@ class Request
return isset($this->data['to_process'][$form_name]);
}
/**
* creates a new unique request-id
*
* @return string
*/
static function request_id()
{
// As we replace spaces with + for those account ids which contain spaces, therefore we need to do the same for getting request id too.
$userID = str_replace(' ', '+', rawurldecode($GLOBALS['egw_info']['user']['account_lid']));
// generate random token (using oppenssl if available otherwise mt_rand based Auth::randomstring)
$token = function_exists('openssl_random_pseudo_bytes') ?
base64_encode(openssl_random_pseudo_bytes(32)) :
Auth::randomstring(44);
return $GLOBALS['egw_info']['flags']['currentapp'].'_'.$userID.'_'.$token;
}
/**
* magic function to set all request-vars, used eg. as $request->method = 'app.class.method';
*

View File

@ -115,18 +115,6 @@ class Cache extends Etemplate\Request
return $request;
}
/**
* creates a new unique request-id
*
* @return string
*/
static function request_id()
{
// As we replace spaces with + for those account ids which contain spaces, therefore we need to do the same for getting request id too.
$userID = str_replace(' ', '+', rawurldecode($GLOBALS['egw_info']['user']['account_lid']));
return uniqid($GLOBALS['egw_info']['flags']['currentapp'].'_'.$userID.'_',true);
}
/**
* saves content,readonlys,template-keys, ... via eGW's appsession function
*

View File

@ -129,7 +129,7 @@ class Files extends Etemplate\Request
{
do
{
$id = uniqid('etemplate_'.$GLOBALS['egw_info']['flags']['currentapp'].'_',true);
$id = parent::request_id();
}
while (file_exists(self::$directory.'/'.$id));

View File

@ -104,19 +104,6 @@ class Session extends Etemplate\Request
return $request;
}
/**
* creates a new request-id via microtime()
*
* @return string
*/
static function request_id()
{
$time = (int) (100 * microtime(true)); // gives precision of 1/100 sec
$id = $GLOBALS['egw_info']['flags']['currentapp'] .':'. $time;
return $id;
}
/**
* saves content,readonlys,template-keys, ... via eGW's appsession function
*