LP #1071067: Use a stronger random number generator and a constant ti…

…me comparison function.
zopefoundation · Oct 31, 2012 · 8e127f8 · 8e127f8
1 parent 41be01e
commit 8e127f8
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 6 deletions.
diff --git a/src/Products/Sessions/BrowserIdManager.py b/src/Products/Sessions/BrowserIdManager.py
@@ -1,5 +1,5 @@
 ############################################################################
-# 
+#
 # Copyright (c) 2002 Zope Foundation and Contributors.
 #
 # This software is subject to the provisions of the Zope Public License,
@@ -10,10 +10,12 @@
 # FOR A PARTICULAR PURPOSE
 #
 ############################################################################
+
 import binascii
 from cgi import escape
+from hashlib import sha256
 import logging
-import random
+import os
 import re
 import string
 import sys
@@ -63,6 +65,29 @@
 
 LOG = logging.getLogger('Zope.BrowserIdManager')
 
+# Use the system PRNG if possible
+import random
+try:
+    random = random.SystemRandom()
+    using_sysrandom = True
+except NotImplementedError:
+    using_sysrandom = False
+
+
+def _randint(start, end):
+    if not using_sysrandom:
+        # This is ugly, and a hack, but it makes things better than
+        # the alternative of predictability. This re-seeds the PRNG
+        # using a value that is hard for an attacker to predict, every
+        # time a random string is required. This may change the
+        # properties of the chosen random sequence slightly, but this
+        # is better than absolute predictability.
+        random.seed(sha256(
+            "%s%s%s" % (random.getstate(), time.time(), os.getpid())
+        ).digest())
+    return random.randint(start, end)
+
+
 def constructBrowserIdManager(
     self, id=BROWSERID_MANAGER_NAME, title='', idname='_ZopeId',
     location=('cookies', 'form'), cookiepath='/', cookiedomain='',
@@ -553,7 +578,7 @@ def isAWellFormedBrowserId(bid, binerr=binascii.Error):
         return None
 
 
-def getNewBrowserId(randint=random.randint, maxint=99999999):
+def getNewBrowserId(randint=_randint, maxint=99999999):
     """ Returns 19-character string browser id
     'AAAAAAAABBBBBBBB'
     where:
@@ -568,5 +593,4 @@ def getNewBrowserId(randint=random.randint, maxint=99999999):
 
     An example is: 89972317A0C3EHnUi90w
     """
-    return '%08i%s' % (randint(0, maxint-1), getB64TStamp())
-
+    return '%08i%s' % (randint(0, maxint - 1), getB64TStamp())
diff --git a/versions.cfg b/versions.cfg
@@ -5,7 +5,7 @@ versions = versions
 [versions]
 # Zope2-specific
 Zope2 =
-AccessControl = 3.0.5
+AccessControl = 3.0.6
 Acquisition = 4.0a1
 DateTime = 3.0.2
 DocumentTemplate = 2.13.2