From 63146720d4f717ea3b981243b6571703e1e44cd2 Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Sun, 10 Apr 2011 14:16:17 +0000
Subject: [PATCH] functions.inc.php: - generate_password(): generate more
 secure random password

Based on a patch from Pierre Fagrell (mrfrenzy@SF),
https://sourceforge.net/tracker/?func=detail&aid=2958698&group_id=191583&atid=937964
(with some modifications)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1026 a1433add-5e2c-0410-b055-b7f2511e0802
---
 functions.inc.php | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/functions.inc.php b/functions.inc.php
index ff9846be..dbf38e71 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -1163,9 +1163,30 @@ function encode_header ($string, $default_charset = "utf-8")
 // Action: Generates a random password
 // Call: generate_password ()
 //
-function generate_password ()
-{
-    $password = substr (md5 (mt_rand ()), 0, 8);
+function generate_password () {
+    global $CONF;
+
+    //check that password length is sensible
+    $length = (int) $CONF['min_password_length'];
+    if ($length < 5 || $length > 32) {
+  	    $length = 8;
+    }
+
+    // define possible characters
+    $possible = "2345678923456789abcdefghijkmnpqrstuvwxyzABCDEFGHIJKLMNPQRSTUVWXYZ"; # skip 0 and 1 to avoid confusion with O and l
+
+    // add random characters to $password until $length is reached
+    $password = "";
+    while (strlen($password) < $length) {
+        // pick a random character from the possible ones
+        $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
+
+        // we don't want this character if it's already in the password
+        if (!strstr($password, $char)) {
+            $password .= $char;
+        }
+    }
+
     return $password;
 }