www/adiumxtras.com 56:533cb44de6a6: Improve the randomness of ve...

[commits at adium.im]

details:	http://hg.adium.im/www/adiumxtras.com/rev/533cb44de6a6
revision:	56:533cb44de6a6
branch:		adiumxtras.com
author:		Thijs Alkemade <me at thijsalkema.de>
date:		Fri Feb 27 13:18:23 2015 +0100

Improve the randomness of verification codes. It was trivally easy to validate accounts without a valid email.

diffs (21 lines):

diff -r 00fb0cf6347e -r 533cb44de6a6 users.php
--- a/users.php	Fri Feb 27 09:39:50 2015 +0100
+++ b/users.php	Fri Feb 27 13:18:23 2015 +0100
@@ -79,7 +79,7 @@
 					$smarty->assign("message", "The username you are attempting to reset has not yet been verified. Please check your email and confirm the account.");
 					$smarty->display('error.tpl');
 				} else {
-					$vCode = md5(time()*5789);
+					$vCode = md5(openssl_random_pseudo_bytes(32));
 					$sql->query("UPDATE users SET vcode='%s' WHERE user_id='%d'", $vCode, $userInfo['user_id']);
 					mail($userInfo['email'], "Password Recovery", sprintf("Dear %s (that is also your username),\n\nYou have requested that your password be reset on the Adium Xtras site. Go to the following URL to continue this action:\n\nhttp://adiumxtras.com/index.php?a=users&do=reset&vcode=%s", $userInfo['username'], $vCode), "From: xtras at adiumxtras.com");
 					$smarty->assign("title", "Forgot Password");
@@ -200,7 +200,7 @@
 				$smarty->assign("title", "Registration");
 				$smarty->display("registerForm.tpl");
 			} else {
-				$verificationCode = md5($email . $username);
+				$verificationCode = md5($email . $username . openssl_random_pseudo_bytes(32));
 				
 				// This is utterly long and difficult to read.
 				$sql->query("INSERT INTO users (username, password, vcode, email, show_email, reg_date, reg_ip)