[FIX] auth_signup, event_moodle, pad, share, survey: use system random number generator
Switch to system random as number generator instead of the default PRNG, which is not recommended for generating security-related values such as unique tokens. Closes #7761
This commit is contained in:
parent
52edf789c2
commit
93f5f86afd
|
@ -34,7 +34,7 @@ class SignupError(Exception):
|
||||||
def random_token():
|
def random_token():
|
||||||
# the token has an entropy of about 120 bits (6 bits/char * 20 chars)
|
# the token has an entropy of about 120 bits (6 bits/char * 20 chars)
|
||||||
chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
|
chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
|
||||||
return ''.join(random.choice(chars) for i in xrange(20))
|
return ''.join(random.SystemRandom().choice(chars) for i in xrange(20))
|
||||||
|
|
||||||
def now(**kwargs):
|
def now(**kwargs):
|
||||||
dt = datetime.now() + timedelta(**kwargs)
|
dt = datetime.now() + timedelta(**kwargs)
|
||||||
|
|
|
@ -24,7 +24,6 @@ import xmlrpclib
|
||||||
import string
|
import string
|
||||||
import time
|
import time
|
||||||
import random
|
import random
|
||||||
from random import sample
|
|
||||||
from openerp.tools.translate import _
|
from openerp.tools.translate import _
|
||||||
|
|
||||||
class event_moodle(osv.osv):
|
class event_moodle(osv.osv):
|
||||||
|
@ -123,7 +122,7 @@ class event_moodle(osv.osv):
|
||||||
"""
|
"""
|
||||||
rand = string.ascii_letters + string.digits
|
rand = string.ascii_letters + string.digits
|
||||||
length = 8
|
length = 8
|
||||||
passwd = ''.join(sample(rand, length))
|
passwd = ''.join(random.SystemRandom().sample(rand, length))
|
||||||
passwd = passwd + '+'
|
passwd = passwd + '+'
|
||||||
return passwd
|
return passwd
|
||||||
|
|
||||||
|
|
|
@ -35,7 +35,7 @@ class pad_common(osv.osv_memory):
|
||||||
pad["server"] = pad["server"].rstrip('/')
|
pad["server"] = pad["server"].rstrip('/')
|
||||||
# generate a salt
|
# generate a salt
|
||||||
s = string.ascii_uppercase + string.digits
|
s = string.ascii_uppercase + string.digits
|
||||||
salt = ''.join([s[random.randint(0, len(s) - 1)] for i in range(10)])
|
salt = ''.join([s[random.SystemRandom().randint(0, len(s) - 1)] for i in range(10)])
|
||||||
#path
|
#path
|
||||||
# etherpad hardcodes pad id length limit to 50
|
# etherpad hardcodes pad id length limit to 50
|
||||||
path = '-%s-%s' % (self._name, salt)
|
path = '-%s-%s' % (self._name, salt)
|
||||||
|
|
|
@ -47,7 +47,7 @@ DOMAIN_ALL = [(1, '=', 1)]
|
||||||
# A good selection of easy to read password characters (e.g. no '0' vs 'O', etc.)
|
# A good selection of easy to read password characters (e.g. no '0' vs 'O', etc.)
|
||||||
RANDOM_PASS_CHARACTERS = 'aaaabcdeeeefghjkmnpqrstuvwxyzAAAABCDEEEEFGHJKLMNPQRSTUVWXYZ23456789'
|
RANDOM_PASS_CHARACTERS = 'aaaabcdeeeefghjkmnpqrstuvwxyzAAAABCDEEEEFGHJKLMNPQRSTUVWXYZ23456789'
|
||||||
def generate_random_pass():
|
def generate_random_pass():
|
||||||
return ''.join(random.sample(RANDOM_PASS_CHARACTERS,10))
|
return ''.join(random.SystemRandom().sample(RANDOM_PASS_CHARACTERS,10))
|
||||||
|
|
||||||
class share_wizard(osv.TransientModel):
|
class share_wizard(osv.TransientModel):
|
||||||
_name = 'share.wizard'
|
_name = 'share.wizard'
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
import time
|
import time
|
||||||
from random import choice
|
import random
|
||||||
import string
|
import string
|
||||||
import os
|
import os
|
||||||
import datetime
|
import datetime
|
||||||
|
@ -51,7 +51,7 @@ class survey_send_invitation(osv.osv_memory):
|
||||||
|
|
||||||
def genpasswd(self):
|
def genpasswd(self):
|
||||||
chars = string.letters + string.digits
|
chars = string.letters + string.digits
|
||||||
return ''.join([choice(chars) for i in range(6)])
|
return ''.join([random.SystemRandom().choice(chars) for i in range(6)])
|
||||||
|
|
||||||
def default_get(self, cr, uid, fields_list, context=None):
|
def default_get(self, cr, uid, fields_list, context=None):
|
||||||
if context is None:
|
if context is None:
|
||||||
|
|
Loading…
Reference in New Issue