diff options
author | David Rothstein <drothstein@gmail.com> | 2013-11-20 15:49:21 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2013-11-20 15:49:21 -0500 |
commit | f01c994de8d6f54a5bef1523319c6da88048c146 (patch) | |
tree | f9f1a59d7cfcb10db208e54348a451d15facd9c5 /modules/user | |
parent | 3611e1670591e657dd6e6000f98d061def471654 (diff) | |
parent | 782d1155c62c0a879bf587c7e40c3a13bcf6879c (diff) | |
download | brdo-f01c994de8d6f54a5bef1523319c6da88048c146.tar.gz brdo-f01c994de8d6f54a5bef1523319c6da88048c146.tar.bz2 |
Merge tag '7.24' into 7.x
7.24 release
Conflicts:
CHANGELOG.txt
includes/bootstrap.inc
Diffstat (limited to 'modules/user')
-rw-r--r-- | modules/user/user.module | 6 | ||||
-rw-r--r-- | modules/user/user.pages.inc | 2 |
2 files changed, 6 insertions, 2 deletions
diff --git a/modules/user/user.module b/modules/user/user.module index 3ecc95d44..29d479323 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -717,10 +717,14 @@ function user_password($length = 10) { // Loop the number of times specified by $length. for ($i = 0; $i < $length; $i++) { + do { + // Find a secure random number within the range needed. + $index = ord(drupal_random_bytes(1)); + } while ($index > $len); // Each iteration, pick a random character from the // allowable string and append it to the password: - $pass .= $allowable_characters[mt_rand(0, $len)]; + $pass .= $allowable_characters[$index]; } return $pass; diff --git a/modules/user/user.pages.inc b/modules/user/user.pages.inc index 4bea93982..d72cecc26 100644 --- a/modules/user/user.pages.inc +++ b/modules/user/user.pages.inc @@ -137,7 +137,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.')); // Let the user's password be changed without the current password check. - $token = drupal_hash_base64(drupal_random_bytes(55)); + $token = drupal_random_key(); $_SESSION['pass_reset_' . $user->uid] = $token; drupal_goto('user/' . $user->uid . '/edit', array('query' => array('pass-reset-token' => $token))); } |