Improve generate password logic (#16521)

### What does it do? Re-up of #15894 Changes password generation method to be more secure. ### Why is it needed? Actually random generation. ### How to test Apply and see passwords still get generated. ### Related issue(s)/PR(s) Re-up of #15894 Fixes #15740 --------- Co-authored-by: crystaldaking <[email protected]> Co-authored-by: Jan Peca <[email protected]>
modxcms · Sep 17, 2024 · 9e7bb63 · 9e7bb63
1 parent 3b0b2f8
commit 9e7bb63
Showing 1 changed file with 13 additions and 10 deletions.
diff --git a/core/src/Revolution/modUser.php b/core/src/Revolution/modUser.php
@@ -898,28 +898,31 @@ public function removeLocks(array $options = [])
     public function generatePassword($length = null, array $options = [])
     {
         if ($length === null) {
-            $length = $this->xpdo->getOption('password_generated_length', null, 10, true);
+            $length = (int)$this->xpdo->getOption('password_generated_length', null, 10, true);
         }
-        $passwordMinimumLength = $this->xpdo->getOption('password_min_length', null, 8, true);
+
+        $passwordMinimumLength = (int)$this->xpdo->getOption('password_min_length', null, 8, true);
         if ($length < $passwordMinimumLength) {
             $length = $passwordMinimumLength;
         }
-        $options = array_merge([
-            'allowable_characters' => 'abcdefghjkmnpqrstuvxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789',
-            'srand_seed_multiplier' => 1000000,
-        ], $options);
 
-        $ps_len = strlen($options['allowable_characters']);
-        srand((double)microtime() * $options['srand_seed_multiplier']);
+        if (empty($options['allowable_characters'])) {
+            $options['allowable_characters'] = 'abcdefghjkmnpqrstuvxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789';
+        }
+
+        $allowableCharactersLength = strlen($options['allowable_characters']);
+
+        $randomBytes = random_bytes($length);
+
         $pass = '';
         for ($i = 0; $i < $length; $i++) {
-            $pass .= $options['allowable_characters'][mt_rand(0, $ps_len - 1)];
+            $randomIndex = ord($randomBytes[$i]) % $allowableCharactersLength;
+            $pass .= $options['allowable_characters'][$randomIndex];
         }
 
         return $pass;
     }
 
-
     /**
      * Send an email to the user
      *