[Zope-Checkins] SVN: Zope/branches/2.13/ LP #1071067: Use a stronger random number generator and a constant time comparison function.

Hano Schlichting cvs-admin at zope.org
Wed Oct 31 14:14:37 UTC 2012 

Log message for revision 128161:
  LP #1071067: Use a stronger random number generator and a constant time comparison function.
  

Changed:
  U   Zope/branches/2.13/doc/CHANGES.rst
  U   Zope/branches/2.13/setup.py
  U   Zope/branches/2.13/src/Products/Sessions/BrowserIdManager.py
  U   Zope/branches/2.13/versions.cfg

-=-
Modified: Zope/branches/2.13/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.13/doc/CHANGES.rst	2012-10-31 14:14:15 UTC (rev 128160)
+++ Zope/branches/2.13/doc/CHANGES.rst	2012-10-31 14:14:36 UTC (rev 128161)
@@ -5,12 +5,12 @@
 Change information for previous versions of Zope can be found at
 http://docs.zope.org/zope2/releases/.
 
-2.13.19 (unreleased)
+2.13.19 (2012-10-31)
 --------------------
 
 - Updated distributions:
 
-  - AccessControl = 2.13.11
+  - AccessControl = 2.13.12
   - distribute = 0.6.29
   - mr.developer = 1.22
   - pytz = 2012g
@@ -18,6 +18,9 @@
   - repoze.tm2 = 1.0
   - tempstorage = 2.12.2
 
+- LP #1071067: Use a stronger random number generator and a constant time
+  comparison function.
+
 - LP #1061247: Fix ZMI properties edit form for properties named `method`.
 
 - LP #1058049: Fix support for zoperunner section in zope.conf.

Modified: Zope/branches/2.13/setup.py
===================================================================
--- Zope/branches/2.13/setup.py	2012-10-31 14:14:15 UTC (rev 128160)
+++ Zope/branches/2.13/setup.py	2012-10-31 14:14:36 UTC (rev 128161)
@@ -23,7 +23,7 @@
 
 
 setup(name='Zope2',
-    version='2.13.19dev',
+    version='2.13.19',
     url='http://zope2.zope.org',
     license='ZPL 2.1',
     description='Zope2 application server / web framework',

Modified: Zope/branches/2.13/src/Products/Sessions/BrowserIdManager.py
===================================================================
--- Zope/branches/2.13/src/Products/Sessions/BrowserIdManager.py	2012-10-31 14:14:15 UTC (rev 128160)
+++ Zope/branches/2.13/src/Products/Sessions/BrowserIdManager.py	2012-10-31 14:14:36 UTC (rev 128161)
@@ -1,5 +1,5 @@
 ############################################################################
-# 
+#
 # Copyright (c) 2002 Zope Foundation and Contributors.
 #
 # This software is subject to the provisions of the Zope Public License,
@@ -10,10 +10,12 @@
 # FOR A PARTICULAR PURPOSE
 #
 ############################################################################
+
 import binascii
 from cgi import escape
+from hashlib import sha256
 import logging
-import random
+import os
 import re
 import string
 import sys
@@ -63,6 +65,29 @@
 
 LOG = logging.getLogger('Zope.BrowserIdManager')
 
+# Use the system PRNG if possible
+import random
+try:
+    random = random.SystemRandom()
+    using_sysrandom = True
+except NotImplementedError:
+    using_sysrandom = False
+
+
+def _randint(start, end):
+    if not using_sysrandom:
+        # This is ugly, and a hack, but it makes things better than
+        # the alternative of predictability. This re-seeds the PRNG
+        # using a value that is hard for an attacker to predict, every
+        # time a random string is required. This may change the
+        # properties of the chosen random sequence slightly, but this
+        # is better than absolute predictability.
+        random.seed(sha256(
+            "%s%s%s" % (random.getstate(), time.time(), os.getpid())
+        ).digest())
+    return random.randint(start, end)
+
+
 def constructBrowserIdManager(
     self, id=BROWSERID_MANAGER_NAME, title='', idname='_ZopeId',
     location=('cookies', 'form'), cookiepath='/', cookiedomain='',
@@ -555,7 +580,7 @@
         return None
 
 
-def getNewBrowserId(randint=random.randint, maxint=99999999):
+def getNewBrowserId(randint=_randint, maxint=99999999):
     """ Returns 19-character string browser id
     'AAAAAAAABBBBBBBB'
     where:
@@ -570,5 +595,4 @@
 
     An example is: 89972317A0C3EHnUi90w
     """
-    return '%08i%s' % (randint(0, maxint-1), getB64TStamp())
-
+    return '%08i%s' % (randint(0, maxint - 1), getB64TStamp())

Modified: Zope/branches/2.13/versions.cfg
===================================================================
--- Zope/branches/2.13/versions.cfg	2012-10-31 14:14:15 UTC (rev 128160)
+++ Zope/branches/2.13/versions.cfg	2012-10-31 14:14:36 UTC (rev 128161)
@@ -4,7 +4,7 @@
 
 [versions]
 # Zope2-specific
-Zope2 =
+Zope2 = 2.13.19
 AccessControl = 2.13.11
 Acquisition = 2.13.8
 DateTime = 2.12.7

More information about the Zope-Checkins mailing list