From 0cc42e2941f2f280b6924f5cd90dd5c144b4e601 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@mozilla.com>
Date: Tue, 4 Aug 2015 14:07:22 +0800
Subject: Bug 1188339 - Backport upstream bug 1179856 (Increase length of all
 tokens value for greater security)

---
 Bugzilla/Token.pm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/Token.pm')

diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 7edcd4226..b7227144f 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -49,6 +49,11 @@ use base qw(Exporter);
                               check_token_data delete_token
                               issue_hash_token check_hash_token);
 
+# 128 bits password:
+# 128 * log10(2) / log10(62) = 21.49, round up to 22.
+# 62 = 0-9, a-z, A-Z.
+use constant TOKEN_LENGTH => 22;
+
 ################################################################################
 # Public Functions
 ################################################################################
@@ -307,7 +312,7 @@ sub GenerateUniqueToken {
         if ($tries > 100) {
             ThrowCodeError("token_generation_error");
         }
-        $token = generate_random_password();
+        $token = generate_random_password(TOKEN_LENGTH);
         $sth->execute($token);
         $duplicate = $sth->fetchrow_array;
     }
-- 
cgit v1.2.3-24-g4f1b