From 7a49e649d831346749ac5ddb0a8e4ef16f11d414 Mon Sep 17 00:00:00 2001
From: Chuck Hagenbuch <chuck@horde.org>
Date: Mon, 7 Sep 2009 22:58:25 -0400
Subject: [PATCH] More salt improvements - use all base64 characters (not just
 hex) for crypt, crypt-des, and crypt-blowfish (Bug #8425).

---
 framework/Auth/lib/Horde/Auth.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/framework/Auth/lib/Horde/Auth.php b/framework/Auth/lib/Horde/Auth.php
index 06596199e..24ec04272 100644
--- a/framework/Auth/lib/Horde/Auth.php
+++ b/framework/Auth/lib/Horde/Auth.php
@@ -274,7 +274,7 @@ class Horde_Auth
         case 'crypt-des':
             return $seed
                 ? substr(preg_replace('|^{crypt}|i', '', $seed), 0, 2)
-                : substr(hash('md5', mt_rand()), 0, 2);
+                : substr(base64_encode(hash('md5', mt_rand(), true)), 0, 2);
 
         case 'crypt-md5':
             return $seed
@@ -284,7 +284,7 @@ class Horde_Auth
         case 'crypt-blowfish':
             return $seed
                 ? substr(preg_replace('|^{crypt}|i', '', $seed), 0, 16)
-                : '$2$' . substr(hash('md5', mt_rand()), 0, 12) . '$';
+                : '$2$' . base64_encode(hash('md5', sprintf('%08X%08X%08X', mt_rand(), mt_rand(), mt_rand()), true)) . '$';
 
         case 'ssha':
             return $seed
-- 
2.11.0