Permalink
Browse files

The random patch for 1.93 wasn't good enough as discovered by Sergei …

…Golovan, we need to cater for non printable chars
  • Loading branch information...
1 parent 92a1a27 commit ed75b53fbe8408962283902c2658bb2d45d5109e @klacke committed Jun 24, 2012
Showing with 18 additions and 17 deletions.
  1. +4 −1 applications/chat/src/chat.erl
  2. +5 −13 applications/mail/src/mail.erl
  3. +4 −1 applications/mail/src/smtp.erl
  4. +5 −2 src/yaws_session_server.erl
@@ -148,7 +148,7 @@ chat_server(Users0) ->
end,
chat_server(Users);
{new_session, User, From} ->
- Cookie = integer_to_list(random:uniform(1 bsl 50)),
+ Cookie = integer_to_list(bin2int(crypto:rand_bytes(16))),
Session = #user{cookie=Cookie, user=User, color=pick_color()},
From ! {session_manager, Cookie, Session},
chat_server([Session|Users]);
@@ -188,6 +188,9 @@ chat_server(Users0) ->
chat_server(Users)
end.
+bin2int(Bin) ->
+ lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+
%%
@@ -1053,8 +1053,6 @@ session_server() ->
end.
session_manager_init() ->
- {X,Y,Z} = seed(),
- random:seed(X, Y, Z),
session_manager([], now(), read_config()).
session_manager(C0, LastGC0, Cfg) ->
@@ -1078,7 +1076,7 @@ session_manager(C0, LastGC0, Cfg) ->
end,
session_manager(C, LastGC, Cfg);
{new_session, Session, From} ->
- Cookie = integer_to_list(random:uniform(1 bsl 50)),
+ Cookie = integer_to_list(bin2int(crypto:rand_bytes(16))),
From ! {session_manager, Cookie},
session_manager([{Cookie, Session#session{cookie=Cookie},
now()}|C], LastGC, Cfg);
@@ -1219,15 +1217,6 @@ sendtimeout() -> req(sendtimeout).
diff({M1,S1,_}, {M2,S2,_}) ->
(M2-M1)*1000000+(S2-S1).
-seed() ->
- case (catch list_to_binary(
- os:cmd("dd if=/dev/urandom ibs=12 count=1 2>/dev/null"))) of
- <<X:32, Y:32, Z:32>> ->
- {X, Y, Z};
- _ ->
- now()
- end.
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
retr(Server, User, Password, Nr) ->
@@ -1959,7 +1948,10 @@ dat2str_boundary([Y1,Y2, Mo, D, H, M, S | _Diff]) ->
lists:flatten(
io_lib:format("~s_~2.2.0w_~s_~w_~2.2.0w:~2.2.0w:~2.2.0w_~w",
[weekday(Y1,Y2,Mo,D), D, int_to_mt(Mo),
- y(Y1,Y2),H,M,S,random:uniform(5000)])).
+ y(Y1,Y2),H,M,S,bin2int(crypto:rand_bytes(4))])).
+
+bin2int(Bin) ->
+ lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
date_and_time_to_string(DAT) ->
case validate_date_and_time(DAT) of
@@ -88,7 +88,10 @@ dat2str_boundary({{Y, Mo, D}, {H, M, S}}) ->
lists:flatten(
io_lib:format("~s_~2.2.0w_~s_~w_~2.2.0w:~2.2.0w:~2.2.0w_~w",
[weekday(Y,Mo,D), D, int_to_mt(Mo),
- Y,H,M,S,random:uniform(5000)])).
+ Y,H,M,S,bin2int(crypto:rand_bytes(4))])).
+
+bin2int(Bin) ->
+ lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
smtp_init(Server, From, Recipients) ->
@@ -151,8 +151,8 @@ handle_call({new_session, Opaque, undefined, Cleanup, Cookie}, From, State) ->
handle_call({new_session, Opaque, ?TTL, Cleanup, Cookie}, From, State);
handle_call({new_session, Opaque, TTL, Cleanup, undefined}, From, State) ->
- N = crypto:rand_bytes(16),
- Cookie = atom_to_list(node()) ++ [$-|binary_to_list(N)],
+ N = bin2int(crypto:rand_bytes(16)),
+ Cookie = atom_to_list(node()) ++ [$-|integer_to_list(N)],
handle_call({new_session, Opaque, TTL, Cleanup, Cookie}, From, State);
handle_call({new_session, Opaque, TTL, Cleanup, Cookie}, _From, State) ->
@@ -269,6 +269,9 @@ code_change(_OldVsn, Data, _Extra) ->
%%% Internal functions
%%%----------------------------------------------------------------------
+bin2int(Bin) ->
+ lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+
%% timeout once every hour even if the server handles traffic all the time.
start_long_timer() ->
erlang:send_after(long_to(), self(), long_timeout).

2 comments on commit ed75b53

Contributor

djui replied Jun 29, 2012

Is 1.94 already official (can't find the tag)? And it is safe now to use the version then or cherry-pick the security flaw patch?

Owner

klacke replied Jun 29, 2012

Please sign in to comment.