From 183a7b8845875e4a6b67e466cfff9f5163da3f17 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 31 May 2013 14:43:31 +0200
Subject: [PATCH] make password reset token completely random

No need for HMAC here because there's no length attack vector here. We
only care for the existance of the file and each reset request is
completely (random) independent from each other.
---
 inc/auth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/auth.php b/inc/auth.php
index dac67bcb7..1f8489f03 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -993,7 +993,7 @@ function act_resendpwd() {
         }
 
         // generate auth token
-        $token = PassHash::hmac('md5', $user, auth_cookiesalt()); //secret but user based
+        $token = md5(uniqid(mt_rand(), true)); // random secret
         $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth';
         $url   = wl('', array('do'=> 'resendpwd', 'pwauth'=> $token), true, '&');
 
-- 
GitLab