[Disclaimer: I don't know anything about OAuth, or python-oauth2.]
* Paul Wise <p...@debian.org>, 2013-10-09, 07:41:
On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:
do you think that for fixing that, using
return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for i in
xrange(length))
...
would be an acceptable fix ?
No, from the announcement of this issue on oss-sec:
... the Python 'random' documentation clearly states the results are
repeatable ...
http://www.openwall.com/lists/oss-security/2013/09/12/5
Yeah, the oss-sec mail is about using a RNG that is not suitable for
cryptographic purposes. This can be easily fixed by using "random.SystemRandom"
(which uses /dev/urandom) instead of the "random" module directly (which has a
Mersenne Twister under the hood).
Confusingly, the mail also points to upstream bug report[0], which is about an
(almost) orthogonal problem. Philippe's fix would make birthday attacks harder.
Note however that make_nonce() and generate_nonce() docstrings say "generate
pseudorandom number", so they would have to be updated accordingly.
[0] https://github.com/simplegeo/python-oauth2/issues/9
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131009064018.ga3...@jwilk.net
