Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Update recoverPassword.php to use a secure random number generator. #147
The original implementation of recoverPassword.php uses a timestamp for
This attack was tested against CDash and was found to be effective.
If you're happy with this approach, we can replace other uses of
Have you ever considered ircmaxell/random-lib? If using paragonie/random_compat (which is fine), it should be installed using composer, see https://packagist.org/packages/paragonie/random_compat.
I didn't want to change too much of the CDash code, so I chose paragonie/random_compat, as it's almost a "drop in" replacement. Plus, it means that users of PHP 7 will use the native random_int function instead of an extra library.
I've added paragonie/random_compat into package.json, so Composer will install it as a dependency.
If anyone has strong preferences to change this approach, then I'm happy to modify my pull request, as long as the insecure random number generator use is fixed. :)