Use secure RNG if available

Recent browsers come with better RNG, so let's use it for generating password instead of Math.random if available. Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Jan 25, 2016 · 8dedcc1 · 8dedcc1
1 parent 671d618
commit 8dedcc1
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/js/functions.js b/js/functions.js
@@ -322,11 +322,28 @@ function suggestPassword(passwd_form)
     var pwchars = "abcdefhjmnpqrstuvwxyz23456789ABCDEFGHJKLMNPQRSTUVWYXZ";
     var passwordlength = 16;    // do we want that to be dynamic?  no, keep it simple :)
     var passwd = passwd_form.generated_pw;
+    var randomWords = new Int32Array(passwordlength);
+
     passwd.value = '';
 
+    // First we're going to try to use a built-in CSPRNG
+    if (window.crypto && window.crypto.getRandomValues) {
+        window.crypto.getRandomValues(randomWords);
+    }
+    // Because of course IE calls it msCrypto instead of being standard
+    else if (window.msCrypto && window.msCrypto.getRandomValues) {
+        window.msCrypto.getRandomValues(randomWords);
+    } else {
+        // Fallback to Math.random
+        for (var i = 0; i < passwordlength; i++) {
+            randomWords[i] = Math.floor(Math.random() * pwchars.length);
+        }
+    }
+
     for (var i = 0; i < passwordlength; i++) {
-        passwd.value += pwchars.charAt(Math.floor(Math.random() * pwchars.length));
+        passwd.value += pwchars.charAt(Math.abs(randomWords[i]) % pwchars.length);
     }
+
     passwd_form.text_pma_pw.value = passwd.value;
     passwd_form.text_pma_pw2.value = passwd.value;
     return true;