Permalink
Browse files

The random patch for 1.93 wasn't good enough as discovered by Sergei …

…Golovan, we need to cater for non printable chars
  • Loading branch information...
1 parent 92a1a27 commit ed75b53fbe8408962283902c2658bb2d45d5109e @klacke committed Jun 24, 2012
Showing with 18 additions and 17 deletions.
  1. +4 −1 applications/chat/src/chat.erl
  2. +5 −13 applications/mail/src/mail.erl
  3. +4 −1 applications/mail/src/smtp.erl
  4. +5 −2 src/yaws_session_server.erl
@@ -148,7 +148,7 @@ chat_server(Users0) ->
end,
chat_server(Users);
{new_session, User, From} ->
- Cookie = integer_to_list(random:uniform(1 bsl 50)),
+ Cookie = integer_to_list(bin2int(crypto:rand_bytes(16))),
Session = #user{cookie=Cookie, user=User, color=pick_color()},
From ! {session_manager, Cookie, Session},
chat_server([Session|Users]);
@@ -188,6 +188,9 @@ chat_server(Users0) ->
chat_server(Users)
end.
+bin2int(Bin) ->
+ lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+
%%
@@ -1053,8 +1053,6 @@ session_server() ->
end.
session_manager_init() ->
- {X,Y,Z} = seed(),
- random:seed(X, Y, Z),
session_manager([], now(), read_config()).
session_manager(C0, LastGC0, Cfg) ->
@@ -1078,7 +1076,7 @@ session_manager(C0, LastGC0, Cfg) ->
end,
session_manager(C, LastGC, Cfg);
{new_session, Session, From} ->
- Cookie = integer_to_list(random:uniform(1 bsl 50)),
+ Cookie = integer_to_list(bin2int(crypto:rand_bytes(16))),
From ! {session_manager, Cookie},
session_manager([{Cookie, Session#session{cookie=Cookie},
now()}|C], LastGC, Cfg);
@@ -1219,15 +1217,6 @@ sendtimeout() -> req(sendtimeout).
diff({M1,S1,_}, {M2,S2,_}) ->
(M2-M1)*1000000+(S2-S1).
-seed() ->
- case (catch list_to_binary(
- os:cmd("dd if=/dev/urandom ibs=12 count=1 2>/dev/null"))) of
- <<X:32, Y:32, Z:32>> ->
- {X, Y, Z};
- _ ->
- now()
- end.
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
retr(Server, User, Password, Nr) ->
@@ -1959,7 +1948,10 @@ dat2str_boundary([Y1,Y2, Mo, D, H, M, S | _Diff]) ->
lists:flatten(
io_lib:format("~s_~2.2.0w_~s_~w_~2.2.0w:~2.2.0w:~2.2.0w_~w",
[weekday(Y1,Y2,Mo,D), D, int_to_mt(Mo),
- y(Y1,Y2),H,M,S,random:uniform(5000)])).
+ y(Y1,Y2),H,M,S,bin2int(crypto:rand_bytes(4))])).
+
+bin2int(Bin) ->
+ lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
date_and_time_to_string(DAT) ->
case validate_date_and_time(DAT) of
@@ -88,7 +88,10 @@ dat2str_boundary({{Y, Mo, D}, {H, M, S}}) ->
lists:flatten(
io_lib:format("~s_~2.2.0w_~s_~w_~2.2.0w:~2.2.0w:~2.2.0w_~w",
[weekday(Y,Mo,D), D, int_to_mt(Mo),
- Y,H,M,S,random:uniform(5000)])).
+ Y,H,M,S,bin2int(crypto:rand_bytes(4))])).
+
+bin2int(Bin) ->
+ lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
smtp_init(Server, From, Recipients) ->
@@ -151,8 +151,8 @@ handle_call({new_session, Opaque, undefined, Cleanup, Cookie}, From, State) ->
handle_call({new_session, Opaque, ?TTL, Cleanup, Cookie}, From, State);
handle_call({new_session, Opaque, TTL, Cleanup, undefined}, From, State) ->
- N = crypto:rand_bytes(16),
- Cookie = atom_to_list(node()) ++ [$-|binary_to_list(N)],
+ N = bin2int(crypto:rand_bytes(16)),
+ Cookie = atom_to_list(node()) ++ [$-|integer_to_list(N)],
handle_call({new_session, Opaque, TTL, Cleanup, Cookie}, From, State);
handle_call({new_session, Opaque, TTL, Cleanup, Cookie}, _From, State) ->
@@ -269,6 +269,9 @@ code_change(_OldVsn, Data, _Extra) ->
%%% Internal functions
%%%----------------------------------------------------------------------
+bin2int(Bin) ->
+ lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+
%% timeout once every hour even if the server handles traffic all the time.
start_long_timer() ->
erlang:send_after(long_to(), self(), long_timeout).

2 comments on commit ed75b53

Contributor
djui commented on ed75b53 Jun 29, 2012

Is 1.94 already official (can't find the tag)? And it is safe now to use the version then or cherry-pick the security flaw patch?

Owner
Please sign in to comment.