[FIX] auth_crypt: use system random number generator

Switch to system random as number generator instead of the default PRNG, which is not recommended for generating security-related values such as unique tokens. (Complements parent commit) Closes #7761
2015-07-29 13:48:12 +02:00 · 2015-07-29 13:48:12 +02:00 · b4de311b0c
parent 93f5f86afd
commit b4de311b0c
1 changed files with 2 additions and 2 deletions
--- a/addons/auth_crypt/auth_crypt.py
+++ b/addons/auth_crypt/auth_crypt.py
@ -11,7 +11,7 @@
 import hashlib
 import hmac
 import logging
-from random import sample
+import random
 from string import ascii_letters, digits

 import openerp
@ -28,7 +28,7 @@ res_users.USER_PRIVATE_FIELDS.append('password_crypt')
 def gen_salt(length=8, symbols=None):
    if symbols is None:
        symbols = ascii_letters + digits
-    return ''.join(sample(symbols, length))
+    return ''.join(random.SystemRandom().sample(symbols, length))

 def md5crypt( raw_pw, salt, magic=magic_md5 ):
    """ md5crypt FreeBSD crypt(3) based on but different from md5