RootPage.loginUser can lead to sensitive information leak #1063
Labels
Milestone
Comments
|
Hi @rcaa. Thanks for the report. Perhaps you'd be willing to submit a PR? |
|
Sure, @gitblit . I have submitted a pull request just now. |
flaix
added a commit
to flaix/gitblit
that referenced
this issue
Dec 10, 2016
To get proper entropy in user authentication cookie creation, make use of `SecureRandom` instead of using `Math.random()`, or `Random`. Introduce our own wrapper `SecureRandom` around `java.security.SecureRandom`. This a) makes sure that the PRNG is seeded on creation and not when random bytes are retrieved, and b) uses a static instance in the `UserModel` so that lags do not occur during operation due to potentially seeding getting blocked on Unix when reading from the system's entropy pool. To keep the random data still secure, the static instance will reseed all 24 hours, also a functionality of the wrapper class. This fixes gitblit#1063 and extends and closes PR gitblit#1116
flaix
added
Status-Done
Catg-Enhancement
Status-Obsolete
flaix
removed
the
Status-Obsolete
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
RootPage.app().authentication().setCookie(request, response, user);
The user argument contains sensitive information, such as user password. The user password is combined with user login to form a hash using SHA-1 algorithm. However, this is a weak algorithm, and tools like hash killer can easily decrypt billions of hashes.
I would suggest avoiding passing user password to setCookie(). This would help to prevent someone accessing our accounts when they have access to our browser cookies.
The text was updated successfully, but these errors were encountered: