From bad4007a74c84166675d44f2311d3ae869de18af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcell=20F=C3=9CL=C3=96P?= Date: Mon, 20 Feb 2023 15:57:05 +0000 Subject: [PATCH] fix: use crypto for rand --- auth/oidc.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/auth/oidc.go b/auth/oidc.go index 0c365143..14e6a5e1 100644 --- a/auth/oidc.go +++ b/auth/oidc.go @@ -2,11 +2,13 @@ package auth import ( "context" + "crypto/rand" "fmt" "github.com/filebrowser/filebrowser/v2/settings" "github.com/filebrowser/filebrowser/v2/users" "log" - "math/rand" + "math" + "math/big" "net/http" "os" @@ -71,8 +73,11 @@ func (o *OAuthClient) InitClient() { // InitAuthFlow triggers the oidc authentication flow. func (o *OAuthClient) InitAuthFlow(w http.ResponseWriter, r *http.Request) { o.InitClient() - state := fmt.Sprintf("%x", rand.Uint32()) - nonce := fmt.Sprintf("%x", rand.Uint32()) + + rand1, _ := rand.Int(rand.Reader, big.NewInt(math.MaxInt32)) + rand2, _ := rand.Int(rand.Reader, big.NewInt(math.MaxInt32)) + state := fmt.Sprintf("%x", rand1) + nonce := fmt.Sprintf("%x", rand2) o.OAuth2Config.RedirectURL += "?redirect=" + r.URL.Path url := o.OAuth2Config.AuthCodeURL(state, oidc.Nonce(nonce))