From c2b29c317f2d3bf41ed737c9eb3d49bce41ec432 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 17 May 2010 09:40:32 +0200 Subject: [PATCH] [ticket/9612] Introduce new function gen_rand_string_friendly(). Introduce new function gen_rand_string_friendly() for user friendly random strings like passwords and captcha codes. Strings generated by gen_rand_string_friendly() will not contain the characters 0 and O. By adding a new function we can increase the entropy of strings generated by gen_rand_string() by putting 0 and O back in. PHPBB3-9612 --- .../captcha/plugins/captcha_abstract.php | 8 ++++---- phpBB/includes/functions.php | 17 +++++++++++++++++ phpBB/includes/ucp/ucp_remind.php | 2 +- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/phpBB/includes/captcha/plugins/captcha_abstract.php b/phpBB/includes/captcha/plugins/captcha_abstract.php index e7b8742b05..21cacd730c 100644 --- a/phpBB/includes/captcha/plugins/captcha_abstract.php +++ b/phpBB/includes/captcha/plugins/captcha_abstract.php @@ -59,7 +59,7 @@ class phpbb_default_captcha { global $user; - $this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); + $this->code = gen_rand_string_friendly(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); $this->seed = hexdec(substr(unique_id(), 4, 10)); // compute $seed % 0x7fffffff @@ -235,7 +235,7 @@ class phpbb_default_captcha { global $db, $user; - $this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); + $this->code = gen_rand_string_friendly(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); $this->confirm_id = md5(unique_id($user->ip)); $this->seed = hexdec(substr(unique_id(), 4, 10)); $this->solved = 0; @@ -259,7 +259,7 @@ class phpbb_default_captcha { global $db, $user; - $this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); + $this->code = gen_rand_string_friendly(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); $this->seed = hexdec(substr(unique_id(), 4, 10)); $this->solved = 0; // compute $seed % 0x7fffffff @@ -281,7 +281,7 @@ class phpbb_default_captcha { global $db, $user; - $this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); + $this->code = gen_rand_string_friendly(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS)); $this->seed = hexdec(substr(unique_id(), 4, 10)); $this->solved = 0; // compute $seed % 0x7fffffff diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index cd8447a2a3..2b5b8e6092 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -195,10 +195,27 @@ function set_config_count($config_name, $increment, $is_dynamic = false) /** * Generates an alphanumeric random string of given length +* +* @return string */ function gen_rand_string($num_chars = 8) +{ + // [a, z] + [0, 9] = 36 + return strtoupper(base_convert(unique_id(), 16, 36)); +} + +/** +* Generates a user-friendly alphanumeric random string of given length +* We remove 0 and O so users cannot confuse those in passwords etc. +* +* @return string +*/ +function gen_rand_string_friendly($num_chars = 8) { $rand_str = unique_id(); + + // Remove Z and Y from the base_convert(), replace 0 with Z and O with Y + // [a, z] + [0, 9] - {z, y} = [a, z] + [0, 9] - {0, o} = 34 $rand_str = str_replace(array('0', 'O'), array('Z', 'Y'), strtoupper(base_convert($rand_str, 16, 34))); return substr($rand_str, 0, $num_chars); diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index 0042cd9df7..cb89ad99be 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -79,7 +79,7 @@ class ucp_remind // Make password at least 8 characters long, make it longer if admin wants to. // gen_rand_string() however has a limit of 12 or 13. - $user_password = gen_rand_string(max(8, rand((int) $config['min_pass_chars'], (int) $config['max_pass_chars']))); + $user_password = gen_rand_string_friendly(max(8, mt_rand((int) $config['min_pass_chars'], (int) $config['max_pass_chars']))); // For the activation key a random length between 6 and 10 will do. $user_actkey = gen_rand_string(mt_rand(6, 10));