John Rouillard <rouilj+...@cs.umb.edu> added the comment:
Hi Berker: In message <1527918822.93.0.81473610881.issue...@psf.upfronthosting.co.za>, Berker Peksag writes: >Berker Peksag <berker.pek...@gmail.com> added the comment: > >I've just committed John's suggested approach in > https://hg.python.org/tracker/python-dev/rev/9e1d65b4927c but it >needs to be deployed by bugs.p.o maintainers. Thank you, again! > >> I'll keep poking at it to try to figure out why random seems to be >> losing state, but I am stumped here. > >Did you get a chance to look at what was wrong on Roundup's side? I spent about 4 hours on it but didn't come up with any cause. I couldn't reproduce in a test case. Every theory I came up with didn't predict the symptoms I was seeing. The major change in the newest release is that roundup's core now uses SystemRandom/os.urandom when available. This is used for various one time keys/nonces to prevent CSRF and other nastyness. The Random Issue extension uses the pseudo-random generator since calling seed() has an effect. When using SystemRandom/os.urandom seed() is a no-op. My only guess is that somehow those two random's are interacting badly with the result that the pseudorandom generator is not being properly initialized/reinitialized/state preserved. As a result on every random call the same number is returned. Proving that theory would require looking at the C code and seeing what the relationship is between these two implementations. I was going down that path and just ran out of steam. (Frankly I think this theory is junk but it's the only one I have that explains the symptoms.) The solution I proposed does have the slight risk that the return value of the pseudo random generator elsewhere in the roundup code could be predicted. By hitting the random article the attacker can seed the pseudo-random generator with one of a few known values. As a result values returned by other uses of random may be predictable. This shouldn't affect the core roundup use on any system that has urandom.SystemRandom so there is no security issue AFAICT. Hopefully this email will open and reresolve the issue. If it leaves it open, sorry about that. _______________________________________________________ PSF Meta Tracker <metatrac...@psf.upfronthosting.co.za> <http://psf.upfronthosting.co.za/roundup/meta/issue644> _______________________________________________________ _______________________________________________ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss Code of Conduct: https://www.python.org/psf/codeofconduct/
