Log message for revision 128161: LP #1071067: Use a stronger random number generator and a constant time comparison function.
Changed: U Zope/branches/2.13/doc/CHANGES.rst U Zope/branches/2.13/setup.py U Zope/branches/2.13/src/Products/Sessions/BrowserIdManager.py U Zope/branches/2.13/versions.cfg -=- Modified: Zope/branches/2.13/doc/CHANGES.rst =================================================================== --- Zope/branches/2.13/doc/CHANGES.rst 2012-10-31 14:14:15 UTC (rev 128160) +++ Zope/branches/2.13/doc/CHANGES.rst 2012-10-31 14:14:36 UTC (rev 128161) @@ -5,12 +5,12 @@ Change information for previous versions of Zope can be found at http://docs.zope.org/zope2/releases/. -2.13.19 (unreleased) +2.13.19 (2012-10-31) -------------------- - Updated distributions: - - AccessControl = 2.13.11 + - AccessControl = 2.13.12 - distribute = 0.6.29 - mr.developer = 1.22 - pytz = 2012g @@ -18,6 +18,9 @@ - repoze.tm2 = 1.0 - tempstorage = 2.12.2 +- LP #1071067: Use a stronger random number generator and a constant time + comparison function. + - LP #1061247: Fix ZMI properties edit form for properties named `method`. - LP #1058049: Fix support for zoperunner section in zope.conf. Modified: Zope/branches/2.13/setup.py =================================================================== --- Zope/branches/2.13/setup.py 2012-10-31 14:14:15 UTC (rev 128160) +++ Zope/branches/2.13/setup.py 2012-10-31 14:14:36 UTC (rev 128161) @@ -23,7 +23,7 @@ setup(name='Zope2', - version='2.13.19dev', + version='2.13.19', url='http://zope2.zope.org', license='ZPL 2.1', description='Zope2 application server / web framework', Modified: Zope/branches/2.13/src/Products/Sessions/BrowserIdManager.py =================================================================== --- Zope/branches/2.13/src/Products/Sessions/BrowserIdManager.py 2012-10-31 14:14:15 UTC (rev 128160) +++ Zope/branches/2.13/src/Products/Sessions/BrowserIdManager.py 2012-10-31 14:14:36 UTC (rev 128161) @@ -1,5 +1,5 @@ ############################################################################ -# +# # Copyright (c) 2002 Zope Foundation and Contributors. # # This software is subject to the provisions of the Zope Public License, @@ -10,10 +10,12 @@ # FOR A PARTICULAR PURPOSE # ############################################################################ + import binascii from cgi import escape +from hashlib import sha256 import logging -import random +import os import re import string import sys @@ -63,6 +65,29 @@ LOG = logging.getLogger('Zope.BrowserIdManager') +# Use the system PRNG if possible +import random +try: + random = random.SystemRandom() + using_sysrandom = True +except NotImplementedError: + using_sysrandom = False + + +def _randint(start, end): + if not using_sysrandom: + # This is ugly, and a hack, but it makes things better than + # the alternative of predictability. This re-seeds the PRNG + # using a value that is hard for an attacker to predict, every + # time a random string is required. This may change the + # properties of the chosen random sequence slightly, but this + # is better than absolute predictability. + random.seed(sha256( + "%s%s%s" % (random.getstate(), time.time(), os.getpid()) + ).digest()) + return random.randint(start, end) + + def constructBrowserIdManager( self, id=BROWSERID_MANAGER_NAME, title='', idname='_ZopeId', location=('cookies', 'form'), cookiepath='/', cookiedomain='', @@ -555,7 +580,7 @@ return None -def getNewBrowserId(randint=random.randint, maxint=99999999): +def getNewBrowserId(randint=_randint, maxint=99999999): """ Returns 19-character string browser id 'AAAAAAAABBBBBBBB' where: @@ -570,5 +595,4 @@ An example is: 89972317A0C3EHnUi90w """ - return '%08i%s' % (randint(0, maxint-1), getB64TStamp()) - + return '%08i%s' % (randint(0, maxint - 1), getB64TStamp()) Modified: Zope/branches/2.13/versions.cfg =================================================================== --- Zope/branches/2.13/versions.cfg 2012-10-31 14:14:15 UTC (rev 128160) +++ Zope/branches/2.13/versions.cfg 2012-10-31 14:14:36 UTC (rev 128161) @@ -4,7 +4,7 @@ [versions] # Zope2-specific -Zope2 = +Zope2 = 2.13.19 AccessControl = 2.13.11 Acquisition = 2.13.8 DateTime = 2.12.7 _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins