Inverted comparison

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

core/ormdocument.class.inc.php

@@ -362,8 +362,7 @@ class ormDocument
 					throw new Exception("Invalid id ($id) for class '$sClass' - the object does not exist or you are not allowed to view it");
 				}
 			}
-			if (($sSecretField != null) && ($oObj->Get($sSecretField) != $sSecretValue)) {
-				usleep(200);
+			if (($sSecretField != null) && !hash_equals($oObj->Get($sSecretField), $sSecretValue)) {
 				throw new Exception("Invalid secret for class '$sClass' - the object does not exist or you are not allowed to view it");
 			}
 			/** @var \ormDocument $oDocument */

pages/ajax.render.php

@@ -2136,7 +2136,7 @@ EOF
 							$oAttachment->Set('item_class', $sObjClass);
 							$oAttachment->SetDefaultOrgId();
 							$oAttachment->Set('contents', $oDoc);
-							$oAttachment->Set('secret', sprintf('%06x', mt_rand(0, 0xFFFFFF))); // something not easy to guess
+							$oAttachment->Set('secret', bin2hex(random_bytes(16))); // 128 bits of entropy, cryptographically secure
 							$iAttId = $oAttachment->DBInsert();
 
 							$aResult['uploaded'] = 1;
@@ -2194,7 +2194,7 @@ EOF
 						$oAttachment->Set('item_class', $sObjClass);
 						$oAttachment->SetDefaultOrgId();
 						$oAttachment->Set('contents', $oDoc);
-						$oAttachment->Set('secret', sprintf('%06x', mt_rand(0, 0xFFFFFF))); // something not easy to guess
+                        $oAttachment->Set('secret', bin2hex(random_bytes(16))); // 128 bits of entropy, cryptographically secure
 						$iAttId = $oAttachment->DBInsert();
 
 						IssueLog::Trace('InlineImage created', LogChannels::INLINE_IMAGE, [