-
-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uuid.uuid1() should use uuid_generate_time_safe() if available #66996
Comments
I'm classifying this as a security issue, since using uuid_generate_time() -- i.e. the not _safe() variety -- does return collisions in real world cases that we've seen, and those could have security implications. However, I don't know that this can be exploited in any real world cases, so I'm not making it private or sending to security@. The basic problem is that uuid.uuid1() uses uuid_generate_time(3), but if the synchronization methods used in that C function's manpage are not used, then two concurrent processes can -- and do in our cases -- return the same UUID. I would propose that if uuid_generate_time_safe() is available, this should be used instead, and the return value should be checked to see if a safe method was used. If not, then uuid1() should fall back to the pure-Python approach. |
FWIW, I'm not convinced the pure python fallback code is sufficient either; time.time() doesn't have the necessary resolution AFAIK? Also clock_seq is generated using the random module's messerne twister, not SystemRandom(). |
On Nov 06, 2014, at 08:10 PM, Alex Gaynor wrote:
Perhaps, but that's a different bug. ;) -----snip snip----- from uuid import UUID
import ctypes
import ctypes.util
lib = ctypes.CDLL(ctypes.util.find_library('uuid'))
_ugts = lib.uuid_generate_time_safe
_buffer = ctypes.create_string_buffer(16)
retval = _ugts(_buffer)
# Remember, this is C!
is_safe = (retval == 0) print('{} is safe? {}'.format(UUID(bytes=_buffer.raw), is_safe)) On Ubuntu 14.10, gives me: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is safe? True |
I changed my mind on whether this should affect older versions of Python. I have a branch which adds an UUID.is_safe attribute that relays the platform information about whether the UUID was generated safely or not, if available. It's an enum named SafeUUID with values .safe, .unsafe, .unknown (the default). |
I don't understand well this change. What am I supposed to do with an UUID with safe=False? Should I loop on the function until I get safe==True? "safe for multiprocessing applications" Does it mean unique on the whole system? I looked at uuid_generate_time_safe(3) manual page which mention "synchronization mechanisms (see above)" but they are not documented.
This issue was only fixed in Python 3.7. Does it mean that it's no more considered as as security vulnerability? |
On Feb 20, 2017, at 02:21 PM, STINNER Victor wrote:
It would be an application dependent response. It might be that you would The point of this change is that it provides information to the application
I believe some systems at least use interprocess communication with a daemon
I should remove that tag. While this could have an impact on application |
Oh, and because the fix is an API change, I don't believe it should be applied to earlier versions. So I think adding the API in 3.7 is all the fix needed here. |
>>> import uuid
>>> u=uuid.uuid4()
>>> u.is_safe
<SafeUUID.unknown: None> Can't we consider that UUID4 is always safe? |
On Feb 20, 2017, at 03:45 PM, STINNER Victor wrote:
It's not a guarantee made by the underlying platform, so I chose to use the |
This breaks pickle compatibility. UUIDs pickled in 3.7 can't be unpickled in older Python versions because they do not have the SafeUUID class. See bpo-30977 for possible solution. |
Misc/NEWS
so that it is managed by towncrier #552Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: