From 93f5f86afd3e92f2e9b5559355e94982de45c43a Mon Sep 17 00:00:00 2001 From: Colin Newell Date: Mon, 27 Jul 2015 17:27:21 +0100 Subject: [PATCH] [FIX] auth_signup, event_moodle, pad, share, survey: use system random number generator Switch to system random as number generator instead of the default PRNG, which is not recommended for generating security-related values such as unique tokens. Closes #7761 --- addons/auth_signup/res_users.py | 2 +- addons/event_moodle/event_moodle.py | 3 +-- addons/pad/pad.py | 2 +- addons/share/wizard/share_wizard.py | 2 +- addons/survey/wizard/survey_send_invitation.py | 4 ++-- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/addons/auth_signup/res_users.py b/addons/auth_signup/res_users.py index e29d55ba47b..b896e92558d 100644 --- a/addons/auth_signup/res_users.py +++ b/addons/auth_signup/res_users.py @@ -34,7 +34,7 @@ class SignupError(Exception): def random_token(): # the token has an entropy of about 120 bits (6 bits/char * 20 chars) chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' - return ''.join(random.choice(chars) for i in xrange(20)) + return ''.join(random.SystemRandom().choice(chars) for i in xrange(20)) def now(**kwargs): dt = datetime.now() + timedelta(**kwargs) diff --git a/addons/event_moodle/event_moodle.py b/addons/event_moodle/event_moodle.py index 5c7373d1adb..730eabdfc02 100644 --- a/addons/event_moodle/event_moodle.py +++ b/addons/event_moodle/event_moodle.py @@ -24,7 +24,6 @@ import xmlrpclib import string import time import random -from random import sample from openerp.tools.translate import _ class event_moodle(osv.osv): @@ -123,7 +122,7 @@ class event_moodle(osv.osv): """ rand = string.ascii_letters + string.digits length = 8 - passwd = ''.join(sample(rand, length)) + passwd = ''.join(random.SystemRandom().sample(rand, length)) passwd = passwd + '+' return passwd diff --git a/addons/pad/pad.py b/addons/pad/pad.py index 0eb92808053..18be38269b7 100644 --- a/addons/pad/pad.py +++ b/addons/pad/pad.py @@ -35,7 +35,7 @@ class pad_common(osv.osv_memory): pad["server"] = pad["server"].rstrip('/') # generate a salt s = string.ascii_uppercase + string.digits - salt = ''.join([s[random.randint(0, len(s) - 1)] for i in range(10)]) + salt = ''.join([s[random.SystemRandom().randint(0, len(s) - 1)] for i in range(10)]) #path # etherpad hardcodes pad id length limit to 50 path = '-%s-%s' % (self._name, salt) diff --git a/addons/share/wizard/share_wizard.py b/addons/share/wizard/share_wizard.py index 41ccf0bead5..0920081baa8 100644 --- a/addons/share/wizard/share_wizard.py +++ b/addons/share/wizard/share_wizard.py @@ -47,7 +47,7 @@ DOMAIN_ALL = [(1, '=', 1)] # A good selection of easy to read password characters (e.g. no '0' vs 'O', etc.) RANDOM_PASS_CHARACTERS = 'aaaabcdeeeefghjkmnpqrstuvwxyzAAAABCDEEEEFGHJKLMNPQRSTUVWXYZ23456789' def generate_random_pass(): - return ''.join(random.sample(RANDOM_PASS_CHARACTERS,10)) + return ''.join(random.SystemRandom().sample(RANDOM_PASS_CHARACTERS,10)) class share_wizard(osv.TransientModel): _name = 'share.wizard' diff --git a/addons/survey/wizard/survey_send_invitation.py b/addons/survey/wizard/survey_send_invitation.py index 177815c24b5..e2304811d82 100644 --- a/addons/survey/wizard/survey_send_invitation.py +++ b/addons/survey/wizard/survey_send_invitation.py @@ -20,7 +20,7 @@ ############################################################################## import time -from random import choice +import random import string import os import datetime @@ -51,7 +51,7 @@ class survey_send_invitation(osv.osv_memory): def genpasswd(self): chars = string.letters + string.digits - return ''.join([choice(chars) for i in range(6)]) + return ''.join([random.SystemRandom().choice(chars) for i in range(6)]) def default_get(self, cr, uid, fields_list, context=None): if context is None: