Those using the dashboard theme/extension and the dynamic and exclusive themes can make similar changes in the following files for FA 2.3 and where appropriate in the themes in FA 2.4:

Extensions

Line 92 in dashboard/widgets/customers.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 92 in dashboard/widgets/dimensions.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 97 in dashboard/widgets/glreturn.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 98 in dashboard/widgets/items.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Line 92 in dashboard/widgets/suppliers.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";

Line 93 in import_transactions/includes/import_sales_cart_class.inc - $this->cart_id = uniqid(''); - Localised, so no change needed

Themes

Lines 306, 405, 506, 560, 623 in dynamic/renderer.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";
Lines 265, 364, 465, 519, 582 in exclusive/renderer.php - $filename = company_path(). "/pdf_files/". uniqid("").".png";

The official repo for extension distribution for FA 2.3 will not be updated since it is EOL and if done will affect those with non-bleeding edge installs.

First we need to include the fix in post 4 of this thread.
The issue of filenames starting with a hyphen or underscore may need to be addressed.
The function clean_file_name() in includes/main.inc can also do the job.

Since we are now allowing underscores(_) and hyphens (-) in the random_id()'s filenames, we need to allow it for excel filenames for download too.

Lines 30 to 55 in FA 2.3's reporting/prn_redirect.php:

if (isset($_GET['xls']))
{
    $filename = $_GET['filename'];
    $unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);
    $path =  company_path(). '/pdf_files/';
    header("Content-type: application/vnd.ms-excel");
    header("Content-Disposition: attachment; filename=$filename" );
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
    header("Pragma: public");
    echo file_get_contents($path.$unique_name);
    exit();
}
elseif (isset($_GET['xml']))
{
    $filename = $_GET['filename'];
    $unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);
    $path =  company_path(). '/pdf_files/';
    header("content-type: text/xml");
    header("Content-Disposition: attachment; filename=$filename");
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
    header("Pragma: public");
    echo file_get_contents($path.$unique_name);
    exit();
}

can be replaced with:

if (isset($_GET['xls']) || isset($_GET['xml']))
{
    $filename = $_GET['filename'];
    $unique_name = preg_replace("/[^0-9_a-z.\-]/i", '', $_GET['unique']);
    $path =  company_path(). '/pdf_files/';
    if (isset($_GET['xls'])) header("Content-type: application/vnd.ms-excel");
    else header("content-type: text/xml");
    header("Content-Disposition: attachment; filename=$filename" );
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0,pre-check=0");
    header("Pragma: public");
    echo file_get_contents($path.$unique_name);
    exit();
}

@joe: please update both repos.

PHP PCRE (Regular Expressions) - CheatSheet | Tutorial.

The file includes/main.inc is "included" in the includes/session.inc file (apart from during installation in the install/isession.inc). It may have been possible that the file redirection (reporting/prn_redirect.php) to download the excel file did not have this initially - the said session file seems included though.

Line 719 in reporting/excel_report.inc:

        meta_forward($path_to_root.'/reporting/prn_redirect.php', "xls=1&filename=$this->filename&unique=$this->unique_name");

causes the redirection to download the excel file.

Line 33 in reporting/prn_redirect.php:

    $unique_name = preg_replace('/[^0-9a-z.]/i', '', $_GET['unique']);

seems to do some replacements that affect the downloaded filename.

@itronics / @joe: Is this necessary in the light of the current commits?

    $id = strtr(base64_encode($bin), '+/', '-_');    // see RFC 4648 Section 5

with

    $id = strtr(base64_encode($bin), '+/=', '-_x');    // see RFC 4648 Section 5

and likewise in FA 2.4. The pad character "=" can be got rid off this way.
Before your commit, it was a 13 character file base name and it is now 24 (multiples of 8).
The original filename was like:
    dLPhO1A-K5vj5Dq4NxBA7w==.pdf
and the new file name will be like:
    4vuNUMXvAVsQVuHEVzlrdwxx.pdf

** Fixed in FA 2.3 and FA 2.4 commits.

As of 2016: There's another bug with openssl_random_pseudo_bytes() (71915), which can result in duplicate values when you run it multiple times with the same process ID. Looks like it's fixed in 5.6.24.

The file includes/main.inc is expected to be included in every instance where it is used as the new function random_id() is defined there and it refers to a variable $cstrong which is not assigned yet. This is mostly okay as it is a return diagnostics value only. If there are any errors then just assign it a blank string before invocation as it is passed by reference.

The following files too use uniqid still and no changes in them yet in the commit done now:
1. includes/ui/ui_view.inc - $name = uniqid('_el',true);
2. reporting/includes/class.mail.inc - $this->boundary = md5(uniqid(time()));
3. reporting/includes/tcpdf.inc - $owner_pass = uniqid(rand());

4. sales/includes/cart_class.inc - $this->cart_id = uniqid(''); - This is just temporary cart id used to avoid erroneous concurrent edition inside single user session. This is not used in urls, so the security problem does not apply here.

In FA 2.4 additionally:
1. includes/dashboard.inc - $filename = company_path(). "/pdf_files/". uniqid("").".png"; - Fixed in this commit.

When changes are made to the files above, we need to make sure that the said new function random_id() is available therein. Those using it in extensions and using SOAP / RESTful APIs too need to take care by defining the function if it dows not exists at the point of invocation.

Line 973 in reporting/includes/pdf_report.inc:

                $fname = $dir.'/'.uniqid('').'.pdf';

can be changed to

                $fname = $dir.'/'.md5(uniqid(mt_rand(), true)).'.pdf';

This improves the entropy from 10 to 29 bits but is still not good enough and is used in line 69 of includes/ui/ui_controls.inc.

Other places like this are in some repXXX.php files:

$filename = company_path(). "/pdf_files/". uniqid("").".png";

that need similar changes. Several others files in FA use uniqid too and will need some changes like this.

@joe: can we include this in both repos?