From b6bb1893ad7b4a901a28b0fa2e725141a7b39509 Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Sat, 30 Jan 2016 20:48:14 -0500
Subject: Update app source of entropy for creating random blobs

Removed use of PHP's rand() functon in favor of openssl extension's openssl_random_pseudo_bytes() to create blobs with better entropy.
Created function getBlob (from class Object) to get a sha256 hash created from randomness for use as object GUIDs, password salts, application tokens, etc.
---
 app/class/object.class.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'app')

diff --git a/app/class/object.class.php b/app/class/object.class.php
index 93b52f0..96cc810 100644
--- a/app/class/object.class.php
+++ b/app/class/object.class.php
@@ -214,13 +214,20 @@ abstract class Object extends Framework
     {
         do
         {
-            $sha = hash("sha256", rand());
-            $guid = substr($sha, 0, 8);
+            $guid = substr($this->getBlob(), 0, 8);
         }
         while ($this->isGUID($guid));
 
         return $guid;
     }
+
+    /*
+     * Get a random sha256 blob
+     */
+    function getBlob()
+    {
+        return hash("sha256", openssl_random_pseudo_bytes(64));
+    }
 }
 
 /*
-- 
cgit v1.2.3