[FIX] auth_signup, event_moodle, pad, share, survey: use system random number generator

Switch to system random as number generator instead of the default PRNG, which is not recommended for generating security-related values such as unique tokens. Closes #7761
2015-07-27 17:27:21 +01:00 · 2015-07-27 17:27:21 +01:00 · 93f5f86afd
parent 52edf789c2
commit 93f5f86afd
5 changed files with 6 additions and 7 deletions
--- a/addons/auth_signup/res_users.py
+++ b/addons/auth_signup/res_users.py
@ -34,7 +34,7 @@ class SignupError(Exception):
 def random_token():
    # the token has an entropy of about 120 bits (6 bits/char * 20 chars)
    chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
-    return ''.join(random.choice(chars) for i in xrange(20))
+    return ''.join(random.SystemRandom().choice(chars) for i in xrange(20))

 def now(**kwargs):
    dt = datetime.now() + timedelta(**kwargs)
--- a/addons/event_moodle/event_moodle.py
+++ b/addons/event_moodle/event_moodle.py
@ -24,7 +24,6 @@ import xmlrpclib
 import string
 import time
 import random
-from random import sample
 from openerp.tools.translate import _

 class event_moodle(osv.osv):
@ -123,7 +122,7 @@ class event_moodle(osv.osv):
        """
        rand = string.ascii_letters + string.digits
        length = 8
-        passwd = ''.join(sample(rand, length))
+        passwd = ''.join(random.SystemRandom().sample(rand, length))
        passwd = passwd + '+'
        return passwd

--- a/addons/pad/pad.py
+++ b/addons/pad/pad.py
@ -35,7 +35,7 @@ class pad_common(osv.osv_memory):
        pad["server"] = pad["server"].rstrip('/')
        # generate a salt
        s = string.ascii_uppercase + string.digits
-        salt = ''.join([s[random.randint(0, len(s) - 1)] for i in range(10)])
+        salt = ''.join([s[random.SystemRandom().randint(0, len(s) - 1)] for i in range(10)])
        #path
        # etherpad hardcodes pad id length limit to 50
        path = '-%s-%s' % (self._name, salt)
--- a/addons/share/wizard/share_wizard.py
+++ b/addons/share/wizard/share_wizard.py
@ -47,7 +47,7 @@ DOMAIN_ALL = [(1, '=', 1)]
 # A good selection of easy to read password characters (e.g. no '0' vs 'O', etc.)
 RANDOM_PASS_CHARACTERS = 'aaaabcdeeeefghjkmnpqrstuvwxyzAAAABCDEEEEFGHJKLMNPQRSTUVWXYZ23456789'
 def generate_random_pass():
-    return ''.join(random.sample(RANDOM_PASS_CHARACTERS,10))
+    return ''.join(random.SystemRandom().sample(RANDOM_PASS_CHARACTERS,10))

 class share_wizard(osv.TransientModel):
    _name = 'share.wizard'
--- a/addons/survey/wizard/survey_send_invitation.py
+++ b/addons/survey/wizard/survey_send_invitation.py
@ -20,7 +20,7 @@
 ##############################################################################

 import time
-from random import choice
+import random
 import string
 import os
 import datetime
@ -51,7 +51,7 @@ class survey_send_invitation(osv.osv_memory):

    def genpasswd(self):
        chars = string.letters + string.digits
-        return ''.join([choice(chars) for i in range(6)])
+        return ''.join([random.SystemRandom().choice(chars) for i in range(6)])

    def default_get(self, cr, uid, fields_list, context=None):
        if context is None: