From f459a35cf4fe475d505e2eebbc10428adbab959e Mon Sep 17 00:00:00 2001
From: Lynn Stephenson <63118982+lynn-stephenson@users.noreply.github.com>
Date: Sat, 4 Apr 2020 08:06:49 +0000
Subject: [PATCH] Update lostpass.php

use CSPRNG for password reset token generation
---
 mod/lostpass.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mod/lostpass.php b/mod/lostpass.php
index 2ce396e366..8a1a9f36e5 100644
--- a/mod/lostpass.php
+++ b/mod/lostpass.php
@@ -41,7 +41,7 @@ function lostpass_post(App $a)
 		DI::baseUrl()->redirect();
 	}
 
-	$pwdreset_token = Strings::getRandomName(12) . random_int(1000, 9999);
+	$pwdreset_token = Strings::getRandomHex(32);
 
 	$fields = [
 		'pwdreset' => $pwdreset_token,