From 5529d94ed76d414969ac47e08e17b0e1ce9c36e7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 28 May 2015 04:37:33 -0400
Subject: [PATCH] Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)

---
 program/lib/Roundcube/rcube.php       |    3 -
 CHANGELOG                             |    1 
 program/include/rcmail_install.php    |   25 +-----------
 tests/Framework/Utils.php             |   11 +++++
 program/lib/Roundcube/rcube_utils.php |   30 +++++++++++++++
 5 files changed, 45 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5f9925e..a451e7a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -27,6 +27,7 @@
 - Fix issues when using moduserprefs.sh without --user argument (#1490399)
 - Fix potential info disclosure issue by protecting directory access (#1490378)
 - Fix blank image in html_signature when saving identity changes (#1490412)
+- Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)
 
 RELEASE 1.1.1
 -------------
diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php
index 0d5fbc5..619b78a 100644
--- a/program/include/rcmail_install.php
+++ b/program/include/rcmail_install.php
@@ -163,7 +163,7 @@
     $value = $this->config[$name];
 
     if ($name == 'des_key' && !$this->configured && !isset($_REQUEST["_$name"]))
-      $value = self::random_key(24);
+      $value = rcube_utils::random_bytes(24);
 
     return $value !== null && $value !== '' ? $value : $default;
   }
@@ -193,7 +193,7 @@
 
       // generate new encryption key, never use the default value
       if ($prop == 'des_key' && $value == $this->defaults[$prop])
-        $value = $this->random_key(24);
+        $value = rcube_utils::random_bytes(24);
 
       // convert some form data
       if ($prop == 'debug_level' && !$is_default) {
@@ -789,25 +789,4 @@
   {
       $this->last_error = $p;
   }
-
-
-  /**
-   * Generarte a ramdom string to be used as encryption key
-   *
-   * @param int Key length
-   * @return string The generated random string
-   * @static
-   */
-  function random_key($length)
-  {
-    $alpha = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
-    $out = '';
-
-    for ($i=0; $i < $length; $i++)
-      $out .= $alpha{rand(0, strlen($alpha)-1)};
-
-    return $out;
-  }
-
 }
-
diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
index 20f509e..80fc2a0 100644
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -1005,8 +1005,7 @@
             if (empty($_SESSION['secure_token']) && $generate) {
                 // generate x characters long token
                 $length = $len > 1 ? $len : 16;
-                $token  = openssl_random_pseudo_bytes($length / 2);
-                $token  = bin2hex($token);
+                $token  = rcube_utils::random_bytes($length);
 
                 $plugin = $this->plugins->exec_hook('secure_token',
                     array('value' => $token, 'length' => $length));
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index e6f9493..e1b9bdb 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -1138,4 +1138,34 @@
 
         return $url;
     }
+
+    /**
+     * Generate a ramdom string
+     *
+     * @param int String length
+     *
+     * @return string The generated random string
+     */
+    public static function random_bytes($length)
+    {
+        if (function_exists('openssl_random_pseudo_bytes')) {
+            $random = openssl_random_pseudo_bytes(ceil($length / 2));
+            $random = bin2hex($random);
+
+            // if the length wasn't even...
+            if ($length < strlen($random)) {
+                $random = substr($random, 0, $length);
+            }
+        }
+        else {
+            $alpha  = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
+            $random = '';
+
+            for ($i = 0; $i < $length; $i++) {
+                $random .= $alpha[rand(0, strlen($alpha)-1)];
+            }
+        }
+
+        return $random;
+    }
 }
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index b881cea..b9b99ff 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -419,4 +419,15 @@
             $this->assertSame($output, $result);
         }
     }
+
+    /**
+     * rcube:utils::random_bytes()
+     */
+    function test_random_bytes()
+    {
+        $this->assertSame(15, strlen(rcube_utils::random_bytes(15)));
+        $this->assertSame(1, strlen(rcube_utils::random_bytes(1)));
+        $this->assertSame(0, strlen(rcube_utils::random_bytes(0)));
+        $this->assertSame(0, strlen(rcube_utils::random_bytes(-1)));
+    }
 }

--
Gitblit v1.9.1