From d7c18215c57c5f5620bbc0205a0edff0e9456832 Mon Sep 17 00:00:00 2001
From: "Fedor A. Fetisov" <faf@ossg.ru>
Date: Fri, 13 Sep 2013 19:53:20 +0400
Subject: [PATCH] Switch to a more secure method for generation of the CSRF
 token

---
 src/messenger/webim/libs/common.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/messenger/webim/libs/common.php b/src/messenger/webim/libs/common.php
index f6c5ccff..6e653b34 100644
--- a/src/messenger/webim/libs/common.php
+++ b/src/messenger/webim/libs/common.php
@@ -755,7 +755,7 @@ function print_csrf_token_in_url()
 function setcsrftoken()
 {
 	if (!isset($_SESSION['csrf_token'])) {
-		$_SESSION['csrf_token'] = sha1(rand(10000000, 99999999));
+		$_SESSION['csrf_token'] = sha1(session_id() . (function_exists('openssl_random_pseudo_bytes') ? openssl_random_pseudo_bytes(32) : (time() + microtime()) . mt_rand(0, 99999999)));
 	}
 }