Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 5356:91954be46a66

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
A real fix for the problem where: import random would result in every call to random() returning the same value in the web interface. While cgi/client.py:Client::__init.py__ was calling random.seed(), on most systems random was SystemRandom and not the default random. As a result the random as you would get from: import random was never being seeded. I added a function to access and seed the random bound instance of random.Random that is called during init. This fixes all three places where I saw the broken randomness. It should also fix: http://psf.upfronthosting.co.za/roundup/meta/issue644 I also removed the prior code that would bail if systemRandom was not available.
author John Rouillard <rouilj@ieee.org>
date Sun, 08 Jul 2018 11:34:42 -0400
parents 66a17c80e035
children 35ea9b1efc14 8e3df461d316
line wrap: on
line diff
--- a/roundup/cgi/client.py	Sat Jul 07 22:39:16 2018 -0400
+++ b/roundup/cgi/client.py	Sun Jul 08 11:34:42 2018 -0400
@@ -17,9 +17,7 @@
     random=SystemRandom()
     logger.debug("Importing good random generator")
 except ImportError:
-    raise
-    from random import Random
-    random=Random()
+    from random import random
     logger.warning("**SystemRandom not available. Using poor random generator")
 
 try:
@@ -81,6 +79,19 @@
 The tracker maintainers have been notified of the problem.</p>
 </body></html>"""
 
+def seed_pseudorandom():
+    '''A function to seed the default pseudorandom random number generator
+       which is used to (at minimum):
+          * generate part of email message-id 
+          * generate OTK for password reset
+          * generate the temp recovery password
+
+       This function limits the scope of the 'import random' call
+       as the random identifier is used throughout the code and
+       can refer to SystemRandom.
+    '''
+    import random
+    random.seed()
 
 class LiberalCookie(SimpleCookie):
     """ Python's SimpleCookie throws an exception if the cookie uses invalid
@@ -307,8 +318,14 @@
     )
 
     def __init__(self, instance, request, env, form=None, translator=None):
-        # re-seed the random number generator
+        # re-seed the random number generator. Is this is an instance of
+        # random.SystemRandom it has no effect.
         random.seed()
+        # So we also seed the pseudorandom random source obtained from
+        #    import random
+        # to make sure that every forked copy of the client will return
+        # new random numbers.
+        seed_pseudorandom()
         self.start = time.time()
         self.instance = instance
         self.request = request
Roundup Issue Tracker: http://roundup-tracker.org/