Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upRootPage.loginUser can lead to sensitive information leak #1063
Labels
Milestone
Comments
This comment has been minimized.
This comment has been minimized.
|
Hi @rcaa. Thanks for the report. Perhaps you'd be willing to submit a PR? |
This comment has been minimized.
This comment has been minimized.
|
Sure, @gitblit . I have submitted a pull request just now. |
fzs
added a commit
to fzs/gitblit
that referenced
this issue
Dec 10, 2016
To get proper entropy in user authentication cookie creation, make use of `SecureRandom` instead of using `Math.random()`, or `Random`. Introduce our own wrapper `SecureRandom` around `java.security.SecureRandom`. This a) makes sure that the PRNG is seeded on creation and not when random bytes are retrieved, and b) uses a static instance in the `UserModel` so that lags do not occur during operation due to potentially seeding getting blocked on Unix when reading from the system's entropy pool. To keep the random data still secure, the static instance will reseed all 24 hours, also a functionality of the wrapper class. This fixes gitblit#1063 and extends and closes PR gitblit#1116
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
RootPage.app().authentication().setCookie(request, response, user);
The user argument contains sensitive information, such as user password. The user password is combined with user login to form a hash using SHA-1 algorithm. However, this is a weak algorithm, and tools like hash killer can easily decrypt billions of hashes.
I would suggest avoiding passing user password to setCookie(). This would help to prevent someone accessing our accounts when they have access to our browser cookies.