fix #1315 인증메일 및 비밀번호 찾기에서 새 비밀번호 및 인증키 발급 개선

classes/security/Password.class.php

@@ -347,6 +347,84 @@ class Password
 		}
 		return $diff === 0;
 	}
+
+	/**
+	 * @brief Generates a strong password
+	 *
+	 * @param int $length
+	 * @param bool $add_dashes
+	 * @param string $available_sets
+	 * @return string
+	 *
+	 * @link https://gist.github.com/tylerhall/521810
+	 *
+	 * Generates a strong password of N length containing at least one lower case letter,
+	 * one uppercase letter, one digit, and one special character. The remaining characters
+	 * in the password are chosen at random from those four sets.
+	 *
+	 * The available characters in each set are user friendly - there are no ambiguous
+	 * characters such as i, l, 1, o, 0, etc. This, coupled with the $add_dashes option,
+	 * makes it much easier for users to manually type or speak their passwords.
+	 *
+	 * Note: the $add_dashes option will increase the length of the password by
+	 * floor(sqrt(N)) characters.
+	 */
+	function generateStrongPassword($length = 10, $add_dashes = false, $available_sets = 'luds')
+	{
+		$sets = array();
+		if(strpos($available_sets, 'l') !== false)
+		{
+			$sets[] = 'abcdefghjkmnpqrstuvwxyz';
+		}
+
+		if(strpos($available_sets, 'u') !== false)
+		{
+			$sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
+		}
+
+		if(strpos($available_sets, 'd') !== false)
+		{
+			$sets[] = '23456789';
+		}
+
+		if(strpos($available_sets, 's') !== false)
+		{
+			$sets[] = '!@#$%&*?';
+		}
+
+		$all = '';
+		$password = '';
+		foreach($sets as $set)
+		{
+			$password .= $set[array_rand(str_split($set))];
+			$all .= $set;
+		}
+
+		$all = str_split($all);
+		for($i = 0; $i < $length - count($sets); $i++)
+		{
+			$password .= $all[array_rand($all)];
+		}
+
+		$password = str_shuffle($password);
+
+		if(!$add_dashes)
+		{
+			return $password;
+		}
+
+		$dash_len = floor(sqrt($length));
+		$dash_str = '';
+		while(strlen($password) > $dash_len)
+		{
+			$dash_str .= substr($password, 0, $dash_len) . '-';
+			$password = substr($password, $dash_len);
+		}
+
+		$dash_str .= $password;
+
+		return $dash_str;
+	}
 }
 /* End of file : Password.class.php */
 /* Location: ./classes/security/Password.class.php */

modules/member/member.controller.php

@@ -966,11 +966,12 @@ class memberController extends member
 		}
 
 		// Insert data into the authentication DB
+		$oPassword = new Password();
 		$args = new stdClass();
 		$args->user_id = $member_info->user_id;
 		$args->member_srl = $member_info->member_srl;
-		$args->new_password = rand(111111,999999);
+		$args->new_password = $oPassword->generateStrongPassword();
-		$args->auth_key = md5( rand(0,999999 ) );
+		$args->auth_key = $oPassword->createSecureSalt(40);
 		$args->is_register = 'N';
 
 		$output = executeQuery('member.insertAuthMail', $args);
@@ -1070,17 +1071,17 @@ class memberController extends member
 		}
 
 		// Update to a temporary password and set change_password_date to 1
-		$args = new stdClass;
+		$oPassword =  new Password();
-		$args->member_srl = $member_srl;
+		$temp_password = $oPassword->generateStrongPassword();
-		list($usec, $sec) = explode(" ", microtime());
-		$temp_password = substr(md5($user_id . $member_info->find_account_answer. $usec . $sec),0,15);
 
+		$args = new stdClass();
+		$args->member_srl = $member_srl;
 		$args->password = $temp_password;
 		$args->change_password_date = '1';
 		$output = $this->updateMemberPassword($args);
 		if(!$output->toBool()) return $output;
 
-		$_SESSION['xe_temp_password_'.$user_id] = $temp_password;
+		$_SESSION['xe_temp_password_' . $user_id] = $temp_password;
 
 		$this->add('user_id',$user_id);
 
@@ -1177,10 +1178,11 @@ class memberController extends member
 		$chk_args->member_srl = $member_srl;
 		$output = executeQuery('member.chkAuthMail', $chk_args);
 		if($output->toBool() && $output->data->count == '0') return new Object(-1, 'msg_invalid_request');
+
 		// Insert data into the authentication DB
 		$auth_args = new stdClass;
 		$auth_args->member_srl = $member_srl;
-		$auth_args->auth_key = md5(rand(0, 999999));
+		$auth_args->auth_key = $oPassword->createSecureSalt(40);
 
 		$output = executeQuery('member.updateAuthMail', $auth_args);
 		if(!$output->toBool())
@@ -1355,11 +1357,12 @@ class memberController extends member
 		$this->_clearMemberCache($args->member_srl);
 
 		// generate new auth key
-		$auth_args = new stdClass;
+		$oPassword = new Password();
+		$auth_args = new stdClass();
 		$auth_args->user_id = $memberInfo->user_id;
 		$auth_args->member_srl = $memberInfo->member_srl;
 		$auth_args->new_password = $memberInfo->password;
-		$auth_args->auth_key = md5( rand(0,999999 ) );
+		$auth_args->auth_key = $oPassword->createSecureSalt(40);
 		$auth_args->is_register = 'Y';
 
 		$output = executeQuery('member.insertAuthMail', $auth_args);
@@ -2067,11 +2070,12 @@ class memberController extends member
 		if($args->denied == 'Y')
 		{
 			// Insert data into the authentication DB
-			$auth_args = new stdClass;
+			$oPassword = new Password();
+			$auth_args = new stdClass();
 			$auth_args->user_id = $args->user_id;
 			$auth_args->member_srl = $args->member_srl;
 			$auth_args->new_password = $args->password;
-			$auth_args->auth_key = md5(rand(0, 999999));
+			$auth_args->auth_key = $oPassword->createSecureSalt(40);
 			$auth_args->is_register = 'Y';
 
 			$output = executeQuery('member.insertAuthMail', $auth_args);
@@ -2445,10 +2449,11 @@ class memberController extends member
 		}
 		unset($_SESSION['rechecked_password_step']);
 
-		$auth_args = new stdClass;
+		$oPassword = new Password();
+		$auth_args = new stdClass();
 		$auth_args->user_id = $newEmail;
 		$auth_args->member_srl = $member_info->member_srl;
-		$auth_args->auth_key = md5(rand(0, 999999));
+		$auth_args->auth_key = $oPassword->createSecureSalt(40);
 		$auth_args->new_password = 'XE_change_emaill_address';
 
 		$output = executeQuery('member.insertAuthMail', $auth_args);