Log message for revision 128164: LP #1071067: Use a stronger random number generator and a constant time comparison function.
Changed: U Zope/trunk/src/Products/Sessions/BrowserIdManager.py U Zope/trunk/versions.cfg -=- Modified: Zope/trunk/src/Products/Sessions/BrowserIdManager.py =================================================================== --- Zope/trunk/src/Products/Sessions/BrowserIdManager.py 2012-10-31 14:15:54 UTC (rev 128163) +++ Zope/trunk/src/Products/Sessions/BrowserIdManager.py 2012-10-31 14:16:35 UTC (rev 128164) @@ -1,5 +1,5 @@ ############################################################################ -# +# # Copyright (c) 2002 Zope Foundation and Contributors. # # This software is subject to the provisions of the Zope Public License, @@ -10,10 +10,12 @@ # FOR A PARTICULAR PURPOSE # ############################################################################ + import binascii from cgi import escape +from hashlib import sha256 import logging -import random +import os import re import string import sys @@ -63,6 +65,29 @@ LOG = logging.getLogger('Zope.BrowserIdManager') +# Use the system PRNG if possible +import random +try: + random = random.SystemRandom() + using_sysrandom = True +except NotImplementedError: + using_sysrandom = False + + +def _randint(start, end): + if not using_sysrandom: + # This is ugly, and a hack, but it makes things better than + # the alternative of predictability. This re-seeds the PRNG + # using a value that is hard for an attacker to predict, every + # time a random string is required. This may change the + # properties of the chosen random sequence slightly, but this + # is better than absolute predictability. + random.seed(sha256( + "%s%s%s" % (random.getstate(), time.time(), os.getpid()) + ).digest()) + return random.randint(start, end) + + def constructBrowserIdManager( self, id=BROWSERID_MANAGER_NAME, title='', idname='_ZopeId', location=('cookies', 'form'), cookiepath='/', cookiedomain='', @@ -553,7 +578,7 @@ return None -def getNewBrowserId(randint=random.randint, maxint=99999999): +def getNewBrowserId(randint=_randint, maxint=99999999): """ Returns 19-character string browser id 'AAAAAAAABBBBBBBB' where: @@ -568,5 +593,4 @@ An example is: 89972317A0C3EHnUi90w """ - return '%08i%s' % (randint(0, maxint-1), getB64TStamp()) - + return '%08i%s' % (randint(0, maxint - 1), getB64TStamp()) Modified: Zope/trunk/versions.cfg =================================================================== --- Zope/trunk/versions.cfg 2012-10-31 14:15:54 UTC (rev 128163) +++ Zope/trunk/versions.cfg 2012-10-31 14:16:35 UTC (rev 128164) @@ -5,7 +5,7 @@ [versions] # Zope2-specific Zope2 = -AccessControl = 3.0.5 +AccessControl = 3.0.6 Acquisition = 4.0a1 DateTime = 3.0.2 DocumentTemplate = 2.13.2 _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins