From d4d8aec02af958b40a4c0220cc60498cf32c6549 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rub=C3=A9n=20Calvo?= <rubencm@gmail.com>
Date: Mon, 18 Jun 2018 22:29:51 +0200
Subject: [PATCH] [ticket/15695] Fix gen_rand_string returning less characters
 than expected

PHPBB3-15695
---
 phpBB/includes/functions.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php
index 270d513a26..97f25cc701 100644
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
@@ -66,27 +66,29 @@ function set_var(&$result, $var, $type, $multibyte = false)
 /**
 * Generates an alphanumeric random string of given length
 *
-* @param int $num_chars Length of random string, defaults to 8
+* @param int $num_chars Length of random string, defaults to 8.
+* This number should be less or equal than 64.
 *
 * @return string
 */
 function gen_rand_string($num_chars = 8)
 {
 	// [a, z] + [0, 9] = 36
-	return substr(strtoupper(base_convert(bin2hex(random_bytes($num_chars)), 16, 36)), 0, $num_chars);
+	return substr(strtoupper(base_convert(bin2hex(random_bytes($num_chars + 1)), 16, 36)), 0, $num_chars);
 }
 
 /**
 * Generates a user-friendly alphanumeric random string of given length
 * We remove 0 and O so users cannot confuse those in passwords etc.
 *
-* @param int $num_chars Length of random string, defaults to 8
+* @param int $num_chars Length of random string, defaults to 8.
+* This number should be less or equal than 64.
 *
 * @return string
 */
 function gen_rand_string_friendly($num_chars = 8)
 {
-	$rand_str = bin2hex(random_bytes($num_chars));
+	$rand_str = bin2hex(random_bytes($num_chars + 1));
 
 	// Remove Z and Y from the base_convert(), replace 0 with Z and O with Y
 	// [a, z] + [0, 9] - {z, y} = [a, z] + [0, 9] - {0, o} = 34