[Checkins] SVN: Zope/trunk/ LP #1071067: Use a stronger random number generator and a constant time comparison function.

Hano Schlichting cvs-admin at zope.org
Wed Oct 31 14:16:35 UTC 2012 

Log message for revision 128164:
  LP #1071067: Use a stronger random number generator and a constant time comparison function.
  

Changed:
  U   Zope/trunk/src/Products/Sessions/BrowserIdManager.py
  U   Zope/trunk/versions.cfg

-=-
Modified: Zope/trunk/src/Products/Sessions/BrowserIdManager.py
===================================================================
--- Zope/trunk/src/Products/Sessions/BrowserIdManager.py	2012-10-31 14:15:54 UTC (rev 128163)
+++ Zope/trunk/src/Products/Sessions/BrowserIdManager.py	2012-10-31 14:16:35 UTC (rev 128164)
@@ -1,5 +1,5 @@
 ############################################################################
-# 
+#
 # Copyright (c) 2002 Zope Foundation and Contributors.
 #
 # This software is subject to the provisions of the Zope Public License,
@@ -10,10 +10,12 @@
 # FOR A PARTICULAR PURPOSE
 #
 ############################################################################
+
 import binascii
 from cgi import escape
+from hashlib import sha256
 import logging
-import random
+import os
 import re
 import string
 import sys
@@ -63,6 +65,29 @@
 
 LOG = logging.getLogger('Zope.BrowserIdManager')
 
+# Use the system PRNG if possible
+import random
+try:
+    random = random.SystemRandom()
+    using_sysrandom = True
+except NotImplementedError:
+    using_sysrandom = False
+
+
+def _randint(start, end):
+    if not using_sysrandom:
+        # This is ugly, and a hack, but it makes things better than
+        # the alternative of predictability. This re-seeds the PRNG
+        # using a value that is hard for an attacker to predict, every
+        # time a random string is required. This may change the
+        # properties of the chosen random sequence slightly, but this
+        # is better than absolute predictability.
+        random.seed(sha256(
+            "%s%s%s" % (random.getstate(), time.time(), os.getpid())
+        ).digest())
+    return random.randint(start, end)
+
+
 def constructBrowserIdManager(
     self, id=BROWSERID_MANAGER_NAME, title='', idname='_ZopeId',
     location=('cookies', 'form'), cookiepath='/', cookiedomain='',
@@ -553,7 +578,7 @@
         return None
 
 
-def getNewBrowserId(randint=random.randint, maxint=99999999):
+def getNewBrowserId(randint=_randint, maxint=99999999):
     """ Returns 19-character string browser id
     'AAAAAAAABBBBBBBB'
     where:
@@ -568,5 +593,4 @@
 
     An example is: 89972317A0C3EHnUi90w
     """
-    return '%08i%s' % (randint(0, maxint-1), getB64TStamp())
-
+    return '%08i%s' % (randint(0, maxint - 1), getB64TStamp())

Modified: Zope/trunk/versions.cfg
===================================================================
--- Zope/trunk/versions.cfg	2012-10-31 14:15:54 UTC (rev 128163)
+++ Zope/trunk/versions.cfg	2012-10-31 14:16:35 UTC (rev 128164)
@@ -5,7 +5,7 @@
 [versions]
 # Zope2-specific
 Zope2 =
-AccessControl = 3.0.5
+AccessControl = 3.0.6
 Acquisition = 4.0a1
 DateTime = 3.0.2
 DocumentTemplate = 2.13.2

More information about the checkins mailing list