SF.net SVN: postfixadmin:[1027] branches/postfixadmin-2.3

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 1027
          http://postfixadmin.svn.sourceforge.net/postfixadmin/?rev=1027&view=rev
Author:   christian_boltz
Date:     2011-04-10 14:27:48 +0000 (Sun, 10 Apr 2011)

Log Message:
-----------
functions.inc.php:
- generate_password(): generate more secure random password

Based on a patch from Pierre Fagrell (mrfrenzy@SF),
https://sourceforge.net/tracker/?func=detail&aid=2958698&group_id=191583&atid=937964
(with some modifications)

Modified Paths:
--------------
    branches/postfixadmin-2.3/CHANGELOG.TXT
    branches/postfixadmin-2.3/functions.inc.php

Modified: branches/postfixadmin-2.3/CHANGELOG.TXT
===================================================================

--- branches/postfixadmin-2.3/CHANGELOG.TXT	2011-04-10 14:16:17 UTC (rev 1026)
+++ branches/postfixadmin-2.3/CHANGELOG.TXT	2011-04-10 14:27:48 UTC (rev 1027)
@@ -13,7 +13,8 @@
 Changes after 2.3.3 release (postfixadmin-2.3 branch)
 ---------------------------------------------------------------
 
-  - fix typo in variable name in squirrelmail plugin
+  - generate more secure random passwords
+  - squirrelmail plugin: fix typo in variable name
 
 Version 2.3.3 - 2011/03/14 - SVN r1010 (postfixadmin-2.3 branch)
 ---------------------------------------------------------------

Modified: branches/postfixadmin-2.3/functions.inc.php
===================================================================
--- branches/postfixadmin-2.3/functions.inc.php	2011-04-10 14:16:17 UTC (rev 1026)
+++ branches/postfixadmin-2.3/functions.inc.php	2011-04-10 14:27:48 UTC (rev 1027)
@@ -1107,9 +1107,30 @@
 // Action: Generates a random password
 // Call: generate_password ()
 //
-function generate_password ()
-{
-    $password = substr (md5 (mt_rand ()), 0, 8);
+function generate_password () {
+    global $CONF;
+
+    //check that password length is sensible
+    $length = (int) $CONF['min_password_length'];
+    if ($length < 5 || $length > 32) {
+  	    $length = 8;
+    }
+
+    // define possible characters
+    $possible = "2345678923456789abcdefghijkmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ"; # skip 0 and 1 to avoid confusion with O and l
+
+    // add random characters to $password until $length is reached
+    $password = "";
+    while (strlen($password) < $length) {
+        // pick a random character from the possible ones
+        $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
+
+        // we don't want this character if it's already in the password
+        if (!strstr($password, $char)) {
+            $password .= $char;
+        }
+    }
+
     return $password;
 }
 


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


