Philippe Makowski [2013-10-18 22:02] :
but it let the other CVE-2013-4346 about _check_signature() ignoring the
nonce value when validating signed urls
any idea ?
maybe something like that
:https://github.com/pmakowski/python-oauth2/commit/7002422bb39bc137713933bc2e55251853830fcc
But I
Jakub Wilk [2013-10-09 08:40] :
Yeah, the oss-sec mail is about using a RNG that is not suitable for
cryptographic purposes. This can be easily fixed by using
random.SystemRandom (which uses /dev/urandom) instead of the random
module directly (which has a Mersenne Twister under the hood).
Le 9 oct. 2013 01:42, Paul Wise p...@debian.org a écrit :
On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:
do you think that for fixing that, using
return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for
i in xrange(length))
...
would be an acceptable fix ?
[Disclaimer: I don't know anything about OAuth, or python-oauth2.]
* Paul Wise p...@debian.org, 2013-10-09, 07:41:
On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:
do you think that for fixing that, using
return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for i in
Hi,
do you think that for fixing that, using
return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for
i in xrange(length))
instead of the actual
return ''.join([str(random.randint(0, 9)) for i in range(length)])
would be an acceptable fix ?
--
To UNSUBSCRIBE, email to
On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:
do you think that for fixing that, using
return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for
i in xrange(length))
...
would be an acceptable fix ?
No, from the announcement of this issue on oss-sec:
... the Python
6 matches
Mail list logo