[ticket/9612] Introduce new function gen_rand_string_friendly().

Introduce new function gen_rand_string_friendly() for user friendly random strings like passwords and captcha codes. Strings generated by gen_rand_string_friendly() will not contain the characters 0 and O. By adding a new function we can increase the entropy of strings generated by gen_rand_string() by putting 0 and O back in. PHPBB3-9612
2025-06-28 06:08:52 +00:00 · 2010-05-17 09:40:32 +02:00 · 2010-05-17 09:40:32 +02:00 · c2b29c317f
commit c2b29c317f
parent af21e38c1d
3 changed files with 22 additions and 5 deletions
--- a/phpBB/includes/captcha/plugins/captcha_abstract.php
+++ b/phpBB/includes/captcha/plugins/captcha_abstract.php
@ -59,7 +59,7 @@ class phpbb_default_captcha
 	{
 		global $user;

-		$this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS));
+		$this->code = gen_rand_string_friendly(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS));
 		$this->seed = hexdec(substr(unique_id(), 4, 10));

 		// compute $seed % 0x7fffffff
@ -235,7 +235,7 @@ class phpbb_default_captcha
 	{
 		global $db, $user;

-		$this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS));
+		$this->code = gen_rand_string_friendly(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS));
 		$this->confirm_id = md5(unique_id($user->ip));
 		$this->seed = hexdec(substr(unique_id(), 4, 10));
 		$this->solved = 0;
@ -259,7 +259,7 @@ class phpbb_default_captcha
 	{
 		global $db, $user;

-		$this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS));
+		$this->code = gen_rand_string_friendly(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS));
 		$this->seed = hexdec(substr(unique_id(), 4, 10));
 		$this->solved = 0;
 		// compute $seed % 0x7fffffff
@ -281,7 +281,7 @@ class phpbb_default_captcha
 	{
 		global $db, $user;

-		$this->code = gen_rand_string(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS));
+		$this->code = gen_rand_string_friendly(mt_rand(CAPTCHA_MIN_CHARS, CAPTCHA_MAX_CHARS));
 		$this->seed = hexdec(substr(unique_id(), 4, 10));
 		$this->solved = 0;
 		// compute $seed % 0x7fffffff
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@ -195,10 +195,27 @@ function set_config_count($config_name, $increment, $is_dynamic = false)

 /**
 * Generates an alphanumeric random string of given length
+*
+* @return string
 */
 function gen_rand_string($num_chars = 8)
+{
+	// [a, z] + [0, 9] = 36
+	return strtoupper(base_convert(unique_id(), 16, 36));
+}
+
+/**
+* Generates a user-friendly alphanumeric random string of given length
+* We remove 0 and O so users cannot confuse those in passwords etc.
+*
+* @return string
+*/
+function gen_rand_string_friendly($num_chars = 8)
 {
 	$rand_str = unique_id();
+
+	// Remove Z and Y from the base_convert(), replace 0 with Z and O with Y
+	// [a, z] + [0, 9] - {z, y} = [a, z] + [0, 9] - {0, o} = 34
 	$rand_str = str_replace(array('0', 'O'), array('Z', 'Y'), strtoupper(base_convert($rand_str, 16, 34)));

 	return substr($rand_str, 0, $num_chars);
--- a/phpBB/includes/ucp/ucp_remind.php
+++ b/phpBB/includes/ucp/ucp_remind.php
@ -79,7 +79,7 @@ class ucp_remind

 			// Make password at least 8 characters long, make it longer if admin wants to.
 			// gen_rand_string() however has a limit of 12 or 13.
-			$user_password = gen_rand_string(max(8, rand((int) $config['min_pass_chars'], (int) $config['max_pass_chars'])));
+			$user_password = gen_rand_string_friendly(max(8, mt_rand((int) $config['min_pass_chars'], (int) $config['max_pass_chars'])));

 			// For the activation key a random length between 6 and 10 will do.
 			$user_actkey = gen_rand_string(mt_rand(6, 10));