fix: Password for mobileconfig that conforms to password-complexity policy

2026-01-23 02:14:26 +00:00 · 2026-01-01 16:48:33 +01:00 · 2026-01-01 16:48:33 +01:00 · 70101d1187
commit 70101d1187
parent 038b2efb75
2 changed files with 42 additions and 5 deletions
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@ -205,6 +205,42 @@ function password_complexity($_action, $_data = null) {
    break;
  }
 }
+
+function password_generate(){
+  $password_complexity = password_complexity('get');
+  $min_length = max(16, intval($password_complexity['length']));
+
+  $lowercase = range('a', 'z');
+  $uppercase = range('A', 'Z');
+  $digits = range(0, 9);
+  $special_chars = str_split('!@#$%^&*()?=');
+
+  $password = [
+    $lowercase[random_int(0, count($lowercase) - 1)],
+    $uppercase[random_int(0, count($uppercase) - 1)],
+    $digits[random_int(0, count($digits) - 1)],
+    $special_chars[random_int(0, count($special_chars) - 1)],
+  ];
+
+  $all = array_merge($lowercase, $uppercase, $digits, $special_chars);
+
+  while (count($password) < $min_length) {
+    $password[] = $all[random_int(0, count($all) - 1)];
+  }
+
+  // Cryptographically secure shuffle using Fisher-Yates algorithm
+  $count = count($password);
+  for ($i = $count - 1; $i > 0; $i--) {
+    $j = random_int(0, $i);
+    $temp = $password[$i];
+    $password[$i] = $password[$j];
+    $password[$j] = $temp;
+  }
+
+  return implode('', $password);
+
+}
+
 function password_check($password1, $password2) {
  $password_complexity = password_complexity('get');

--- a/data/web/mobileconfig.php
+++ b/data/web/mobileconfig.php
@ -34,15 +34,15 @@ catch(PDOException $e) {

 if (isset($_GET['only_email'])) {
  $onlyEmailAccount = true;
-  $description = 'IMAP';  
+  $description = 'IMAP';
 } else {
  $onlyEmailAccount = false;
-  $description = 'IMAP, CalDAV, CardDAV'; 
+  $description = 'IMAP, CalDAV, CardDAV';
 }
 if (isset($_GET['app_password'])) {
  $app_password = true;
  $description .= ' with application password';
-  
+
  if (strpos($_SERVER['HTTP_USER_AGENT'], 'iPad') !== FALSE)
      $platform = 'iPad';
  elseif (strpos($_SERVER['HTTP_USER_AGENT'], 'iPhone') !== FALSE)
@ -51,8 +51,9 @@ if (isset($_GET['app_password'])) {
      $platform = 'Mac';
  else
      $platform = $_SERVER['HTTP_USER_AGENT'];
-  
-  $password = bin2hex(openssl_random_pseudo_bytes(16));
+
+  $password = password_generate();
+
  $attr = array(
      'app_name' => $platform,
      'app_passwd' => $password,