forked from MirrorHub/synapse
Merge pull request #5133 from matrix-org/rav/systemrandom
Use SystemRandom for token generation.
This commit is contained in:
commit
1acfb9e9f0
2 changed files with 8 additions and 2 deletions
1
changelog.d/5133.bugfix
Normal file
1
changelog.d/5133.bugfix
Normal file
|
@ -0,0 +1 @@
|
|||
Switch to using a cryptographically-secure random number generator for token strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec for identifying and responsibly disclosing this issue!
|
|
@ -24,14 +24,19 @@ _string_with_symbols = (
|
|||
string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
|
||||
)
|
||||
|
||||
# random_string and random_string_with_symbols are used for a range of things,
|
||||
# some cryptographically important, some less so. We use SystemRandom to make sure
|
||||
# we get cryptographically-secure randoms.
|
||||
rand = random.SystemRandom()
|
||||
|
||||
|
||||
def random_string(length):
|
||||
return ''.join(random.choice(string.ascii_letters) for _ in range(length))
|
||||
return ''.join(rand.choice(string.ascii_letters) for _ in range(length))
|
||||
|
||||
|
||||
def random_string_with_symbols(length):
|
||||
return ''.join(
|
||||
random.choice(_string_with_symbols) for _ in range(length)
|
||||
rand.choice(_string_with_symbols) for _ in range(length)
|
||||
)
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue