Francois Gouget : testbot/web: Use a cryptographically secure random number generator.
Alexandre Julliard
julliard at winehq.org
Tue Feb 4 13:07:48 CST 2020
Module: tools
Branch: master
Commit: 617f67bdeafa9e686c4378160ea912e8eaf2d00c
URL: https://source.winehq.org/git/tools.git/?a=commit;h=617f67bdeafa9e686c4378160ea912e8eaf2d00c
Author: Francois Gouget <fgouget at codeweavers.com>
Date: Tue Feb 4 15:51:42 2020 +0100
testbot/web: Use a cryptographically secure random number generator.
Session ids should really be hard to guess so a user cannot take over
another's session.
This also fixes a bug where the session id length could be less than
32 characters.
Note:
* This introduces a dependency on the Bytes::Random::Secure Perl
module.
Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
testbot/doc/INSTALL.txt | 1 +
testbot/lib/WineTestBot/CGI/Sessions.pm | 8 +++-----
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/testbot/doc/INSTALL.txt b/testbot/doc/INSTALL.txt
index 456ffe6..4d430d9 100644
--- a/testbot/doc/INSTALL.txt
+++ b/testbot/doc/INSTALL.txt
@@ -6,6 +6,7 @@ Dependencies:
- MySQL
- Perl DBD and DBI::mysql modules
- Sendmail and Procmail
+- Bytes::Random::Secure (libbytes-random-secure-perl)
- Sys::Virt (libsys-virt-perl, see http://libvirt.org/)
- Image::Magick (perlmagick)
- Optional: IO::Socket::IP (for IPv6, libio-socket-ip-perl)
diff --git a/testbot/lib/WineTestBot/CGI/Sessions.pm b/testbot/lib/WineTestBot/CGI/Sessions.pm
index 380d4b8..0afe6c9 100644
--- a/testbot/lib/WineTestBot/CGI/Sessions.pm
+++ b/testbot/lib/WineTestBot/CGI/Sessions.pm
@@ -56,7 +56,9 @@ use WineTestBot::WineTestBotObjects;
our @ISA = qw(WineTestBot::WineTestBotCollection);
our @EXPORT = qw(CreateSessions DeleteSessions NewSession);
+use Bytes::Random::Secure;
use CGI::Cookie;
+
use ObjectModel::BasicPropertyDescriptor;
use ObjectModel::ItemrefPropertyDescriptor;
use WineTestBot::Users;
@@ -123,11 +125,7 @@ sub NewSession($$$)
my $Id;
while (defined($Existing))
{
- $Id = "";
- foreach my $i (1..8)
- {
- $Id .= sprintf("%lx", int(rand(2 ** 16)));
- }
+ $Id = Bytes::Random::Secure::random_bytes_hex(16);
$Existing = $self->GetItem($Id);
}
$Session->Id($Id);
More information about the wine-cvs
mailing list