From 16a9bdc38708c0e3b81eae3a79216214d493b57e Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Tue, 5 Mar 2019 20:16:50 +0300
Subject: [PATCH] make_password: generate longer passwords by default, use
 better random function if available

---
 classes/pref/users.php |  4 ++--
 include/functions.php  |  2 +-
 install/index.php      | 15 +++++++++++----
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/classes/pref/users.php b/classes/pref/users.php
index 8fd09ac4d..7b75bb872 100644
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -231,7 +231,7 @@ class Pref_Users extends Handler_Protected {
 
 		function add() {
 			$login = trim(clean($_REQUEST["login"]));
-			$tmp_user_pwd = make_password(8);
+			$tmp_user_pwd = make_password();
 			$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
 			$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
 
@@ -283,7 +283,7 @@ class Pref_Users extends Handler_Protected {
 				$login = $row["login"];
 
 				$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
-				$tmp_user_pwd = make_password(8);
+				$tmp_user_pwd = make_password();
 
 				$pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
 
diff --git a/include/functions.php b/include/functions.php
index 8c0654f3c..acc53c84c 100755
--- a/include/functions.php
+++ b/include/functions.php
@@ -737,7 +737,7 @@
 		}
 	}
 
-	function make_password($length = 8) {
+	function make_password($length = 12) {
 
 		$password = "";
 		$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ";
diff --git a/install/index.php b/install/index.php
index accabe3d3..815422712 100755
--- a/install/index.php
+++ b/install/index.php
@@ -55,21 +55,28 @@
 		//
 	}
 
-	function make_password($length = 8) {
-
+	function make_password($length = 12) {
 		$password = "";
 		$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ*%+^";
 
-	$i = 0;
+		$i = 0;
 
 		while ($i < $length) {
-			$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
+
+			try {
+				$idx = function_exists("random_int") ? random_int(0, strlen($possible) - 1) : mt_rand(0, strlen($possible) - 1);
+			} catch (Exception $e) {
+				$idx = mt_rand(0, strlen($possible) - 1);
+			}
+
+			$char = substr($possible, $idx, 1);
 
 			if (!strstr($password, $char)) {
 				$password .= $char;
 				$i++;
 			}
 		}
+
 		return $password;
 	}