comparison roundup/password.py @ 5350:66a17c80e035

Force all uses of random to use SystemRandom and abort if pseudorandom random.Random would be used rather than Random.SystemRandom. random.Random is returning the same value time after time. Even when being seeded after instantiation, calls to the random.random() function return the same value like it's not advanceing the state of the generator. So "fix" is to force use of system random generator to generate: one time keys for password reset (action.py) random passwords when resetting passwords (password.py) serial number for auto ssl cert generation (roundup_server.py) Message-ID's in email: mailgw.py, client.py anti-csrf nonces (templating.py)
author John Rouillard <rouilj@ieee.org>
date Sat, 07 Jul 2018 22:02:41 -0400
parents 9792b18e0b19
children 91954be46a66
comparison
equal deleted inserted replaced
5349:b11bc7c77d09 5350:66a17c80e035
17 # 17 #
18 """Password handling (encoding, decoding). 18 """Password handling (encoding, decoding).
19 """ 19 """
20 __docformat__ = 'restructuredtext' 20 __docformat__ = 'restructuredtext'
21 21
22 import re, string, random 22 import re, string
23 import os 23 import os
24 from base64 import b64encode, b64decode 24 from base64 import b64encode, b64decode
25 from hashlib import md5, sha1 25 from hashlib import md5, sha1
26
27 try:
28 # Use the cryptographic source of randomness if available
29 from random import SystemRandom
30 random=SystemRandom()
31 except ImportError:
32 raise
33 from random import Random
34 random=Random()
26 35
27 try: 36 try:
28 import crypt 37 import crypt
29 except ImportError: 38 except ImportError:
30 crypt = None 39 crypt = None
361 assert p == 'sekrit' 370 assert p == 'sekrit'
362 assert p != 'not sekrit' 371 assert p != 'not sekrit'
363 assert 'sekrit' == p 372 assert 'sekrit' == p
364 assert 'not sekrit' != p 373 assert 'not sekrit' != p
365 374
375
376 print random.randrange(36, 52)
377 # this seems to return the save password every time
378 # when run inside a roundup daemon.
379 # but it tests out ok. I don't know why. -- rouilj
380 print generatePassword()
381
366 if __name__ == '__main__': 382 if __name__ == '__main__':
367 test() 383 test()
368 384
369 # vim: set filetype=python sts=4 sw=4 et si : 385 # vim: set filetype=python sts=4 sw=4 et si :

Roundup Issue Tracker: http://roundup-tracker.org/