Mercurial > p > roundup > code
comparison roundup/password.py @ 5350:66a17c80e035
Force all uses of random to use SystemRandom and abort if
pseudorandom random.Random would be used rather than
Random.SystemRandom.
random.Random is returning the same value time after time. Even when
being seeded after instantiation, calls to the random.random()
function return the same value like it's not advanceing the state of
the generator.
So "fix" is to force use of system random generator to generate:
one time keys for password reset (action.py)
random passwords when resetting passwords (password.py)
serial number for auto ssl cert generation (roundup_server.py)
Message-ID's in email: mailgw.py, client.py
anti-csrf nonces (templating.py)
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 07 Jul 2018 22:02:41 -0400 |
| parents | 9792b18e0b19 |
| children | 91954be46a66 |
comparison
equal
deleted
inserted
replaced
| 5349:b11bc7c77d09 | 5350:66a17c80e035 |
|---|---|
| 17 # | 17 # |
| 18 """Password handling (encoding, decoding). | 18 """Password handling (encoding, decoding). |
| 19 """ | 19 """ |
| 20 __docformat__ = 'restructuredtext' | 20 __docformat__ = 'restructuredtext' |
| 21 | 21 |
| 22 import re, string, random | 22 import re, string |
| 23 import os | 23 import os |
| 24 from base64 import b64encode, b64decode | 24 from base64 import b64encode, b64decode |
| 25 from hashlib import md5, sha1 | 25 from hashlib import md5, sha1 |
| 26 | |
| 27 try: | |
| 28 # Use the cryptographic source of randomness if available | |
| 29 from random import SystemRandom | |
| 30 random=SystemRandom() | |
| 31 except ImportError: | |
| 32 raise | |
| 33 from random import Random | |
| 34 random=Random() | |
| 26 | 35 |
| 27 try: | 36 try: |
| 28 import crypt | 37 import crypt |
| 29 except ImportError: | 38 except ImportError: |
| 30 crypt = None | 39 crypt = None |
| 361 assert p == 'sekrit' | 370 assert p == 'sekrit' |
| 362 assert p != 'not sekrit' | 371 assert p != 'not sekrit' |
| 363 assert 'sekrit' == p | 372 assert 'sekrit' == p |
| 364 assert 'not sekrit' != p | 373 assert 'not sekrit' != p |
| 365 | 374 |
| 375 | |
| 376 print random.randrange(36, 52) | |
| 377 # this seems to return the save password every time | |
| 378 # when run inside a roundup daemon. | |
| 379 # but it tests out ok. I don't know why. -- rouilj | |
| 380 print generatePassword() | |
| 381 | |
| 366 if __name__ == '__main__': | 382 if __name__ == '__main__': |
| 367 test() | 383 test() |
| 368 | 384 |
| 369 # vim: set filetype=python sts=4 sw=4 et si : | 385 # vim: set filetype=python sts=4 sw=4 et si : |