Use SystemRandom for token generation
This commit is contained in:
parent
ac6a0d72b2
commit
247dc1bd0b
|
@ -0,0 +1 @@
|
||||||
|
Switch to using a cryptographically-secure random number generator for token strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec for for identifying and responsibly disclosing this issue!
|
|
@ -24,14 +24,19 @@ _string_with_symbols = (
|
||||||
string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
|
string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# random_string and random_string_with_symbols are used for a range of things,
|
||||||
|
# some cryptographically important, some less so. We use SystemRandom to make sure
|
||||||
|
# we get cryptographically-secure randoms.
|
||||||
|
rand = random.SystemRandom()
|
||||||
|
|
||||||
|
|
||||||
def random_string(length):
|
def random_string(length):
|
||||||
return ''.join(random.choice(string.ascii_letters) for _ in range(length))
|
return ''.join(rand.choice(string.ascii_letters) for _ in range(length))
|
||||||
|
|
||||||
|
|
||||||
def random_string_with_symbols(length):
|
def random_string_with_symbols(length):
|
||||||
return ''.join(
|
return ''.join(
|
||||||
random.choice(_string_with_symbols) for _ in range(length)
|
rand.choice(_string_with_symbols) for _ in range(length)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue