Matrix-Mirrors/synapse-product
1
0
Fork 0
mirror of https://git.anonymousland.org/anonymousland/synapse-product.git synced 2024-10-01 08:25:44 -04:00
Code Issues Packages Projects Releases Wiki Activity

Use SystemRandom for token generation

Browse Source
This commit is contained in:
Richard van der Hoff 2019-05-03 12:38:03 +01:00
parent ac6a0d72b2
commit 247dc1bd0b
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog.d/5133.bugfix Normal file
View File

@ -0,0 +1 @@
Switch to using a cryptographically-secure random number generator for token strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec for for identifying and responsibly disclosing this issue!

9
synapse/util/stringutils.py
View File

@ -24,14 +24,19 @@ _string_with_symbols = (
string.digits + string.ascii_letters + ".,;:^&*-_+=#~@" string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
) )
# random_string and random_string_with_symbols are used for a range of things,
# some cryptographically important, some less so. We use SystemRandom to make sure
# we get cryptographically-secure randoms.
rand = random.SystemRandom()
def random_string(length): def random_string(length):
return ''.join(random.choice(string.ascii_letters) for _ in range(length)) return ''.join(rand.choice(string.ascii_letters) for _ in range(length))
def random_string_with_symbols(length): def random_string_with_symbols(length):
return ''.join( return ''.join(
random.choice(_string_with_symbols) for _ in range(length) rand.choice(_string_with_symbols) for _ in range(length)
) )