Combodo · steffunky · Feb 23, 2026 · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026
diff --git a/core/ormdocument.class.inc.php b/core/ormdocument.class.inc.php
@@ -362,8 +362,7 @@ public static function DownloadDocument(WebPage $oPage, $sClass, $id, $sAttCode,
 					throw new Exception("Invalid id ($id) for class '$sClass' - the object does not exist or you are not allowed to view it");
 				}
 			}
-			if (($sSecretField != null) && ($oObj->Get($sSecretField) != $sSecretValue)) {
-				usleep(200);
+            if (($sSecretField != null) && (hash_equals($oObj->Get($sSecretField), $sSecretValue))) {
 				throw new Exception("Invalid secret for class '$sClass' - the object does not exist or you are not allowed to view it");
 			}
 			/** @var \ormDocument $oDocument */

diff --git a/pages/ajax.render.php b/pages/ajax.render.php
@@ -2136,7 +2136,7 @@ function(data){
 							$oAttachment->Set('item_class', $sObjClass);
 							$oAttachment->SetDefaultOrgId();
 							$oAttachment->Set('contents', $oDoc);
-							$oAttachment->Set('secret', sprintf('%06x', mt_rand(0, 0xFFFFFF))); // something not easy to guess
+                            $oAttachment->Set('secret', bin2hex(random_bytes(16))); // 128 bits of entropy, cryptographically secure
 							$iAttId = $oAttachment->DBInsert();
 
 							$aResult['uploaded'] = 1;