Allow regenerating site secret

author: Steve Clay <sclay@ufl.edu> 2013-12-01 20:41:23 -0500
committer: Steve Clay <sclay@ufl.edu> 2013-12-01 20:41:23 -0500
commit: 4ffb40d6b5b9219c2b6964592f58183da6f78962 (patch)
tree: d1e67236121f1a27637ed64d3774c0060b82f29b /engine/lib/actions.php
parent: ad8aff634c5c391042484aa9c8129e59faeac093 (diff)
parent: 003946eff06fcafe60db5894e1ade0abee7314b4 (diff)
download: elgg-4ffb40d6b5b9219c2b6964592f58183da6f78962.tar.gz
elgg-4ffb40d6b5b9219c2b6964592f58183da6f78962.tar.bz2
1 files changed, 25 insertions, 2 deletions
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 56936f582..8047914ac 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -364,16 +364,19 @@ function generate_action_token($timestamp) {
 }
 
 /**
- * Initialise the site secret hash.
+ * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL).
  *
  * Used during installation and saves as a datalist.
  *
+ * Note: Old secrets were hex encoded.
+ *
  * @return mixed The site secret hash or false
  * @access private
  * @todo Move to better file.
  */
 function init_site_secret() {
-	$secret = md5(rand() . microtime());
+	$secret = 'z' . ElggCrypto::getRandomString(31);
+
 	if (datalist_set('__site_secret__', $secret)) {
 		return $secret;
 	}
@@ -400,6 +403,26 @@ function get_site_secret() {
 }
 
 /**
+ * Get the strength of the site secret
+ *
+ * @return string "strong", "moderate", or "weak"
+ * @access private
+ */
+function _elgg_get_site_secret_strength() {
+	$secret = get_site_secret();
+	if ($secret[0] !== 'z') {
+		$rand_max = getrandmax();
+		if ($rand_max < pow(2, 16)) {
+			return 'weak';
+		}
+		if ($rand_max < pow(2, 32)) {
+			return 'moderate';
+		}
+	}
+	return 'strong';
+}
+
+/**
  * Check if an action is registered and its script exists.
  *
  * @param string $action Action name
author	Steve Clay <sclay@ufl.edu>	2013-12-01 20:41:23 -0500
committer	Steve Clay <sclay@ufl.edu>	2013-12-01 20:41:23 -0500
commit	4ffb40d6b5b9219c2b6964592f58183da6f78962 (patch)
tree	d1e67236121f1a27637ed64d3774c0060b82f29b /engine/lib/actions.php
parent	ad8aff634c5c391042484aa9c8129e59faeac093 (diff)
parent	003946eff06fcafe60db5894e1ade0abee7314b4 (diff)
download	elgg-4ffb40d6b5b9219c2b6964592f58183da6f78962.tar.gz elgg-4ffb40d6b5b9219c2b6964592f58183da6f78962.tar.bz2