From 52edf789c27a922dec648c49fec259d44a08b42d Mon Sep 17 00:00:00 2001 From: Wolfgang Taferner Date: Wed, 29 Jul 2015 09:40:16 +0200 Subject: [PATCH 1/3] [FIX] auth_crypt: safer import of base module Commit 856bc6f2b147970245f96e26d882f114c32e035c may cause an issue if the auth_crypt module is loaded before the base module. That should never happen in normal circumstances, but forcing an explicit import does not hurt and makes it safer. Closes #6742 --- addons/auth_crypt/auth_crypt.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/addons/auth_crypt/auth_crypt.py b/addons/auth_crypt/auth_crypt.py index a7e3a826223..9724b511a05 100644 --- a/addons/auth_crypt/auth_crypt.py +++ b/addons/auth_crypt/auth_crypt.py @@ -22,7 +22,8 @@ _logger = logging.getLogger(__name__) magic_md5 = '$1$' magic_sha256 = '$5$' -openerp.addons.base.res.res_users.USER_PRIVATE_FIELDS.append('password_crypt') +from openerp.addons.base.res import res_users +res_users.USER_PRIVATE_FIELDS.append('password_crypt') def gen_salt(length=8, symbols=None): if symbols is None: From 93f5f86afd3e92f2e9b5559355e94982de45c43a Mon Sep 17 00:00:00 2001 From: Colin Newell Date: Mon, 27 Jul 2015 17:27:21 +0100 Subject: [PATCH 2/3] [FIX] auth_signup, event_moodle, pad, share, survey: use system random number generator Switch to system random as number generator instead of the default PRNG, which is not recommended for generating security-related values such as unique tokens. Closes #7761 --- addons/auth_signup/res_users.py | 2 +- addons/event_moodle/event_moodle.py | 3 +-- addons/pad/pad.py | 2 +- addons/share/wizard/share_wizard.py | 2 +- addons/survey/wizard/survey_send_invitation.py | 4 ++-- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/addons/auth_signup/res_users.py b/addons/auth_signup/res_users.py index e29d55ba47b..b896e92558d 100644 --- a/addons/auth_signup/res_users.py +++ b/addons/auth_signup/res_users.py @@ -34,7 +34,7 @@ class SignupError(Exception): def random_token(): # the token has an entropy of about 120 bits (6 bits/char * 20 chars) chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' - return ''.join(random.choice(chars) for i in xrange(20)) + return ''.join(random.SystemRandom().choice(chars) for i in xrange(20)) def now(**kwargs): dt = datetime.now() + timedelta(**kwargs) diff --git a/addons/event_moodle/event_moodle.py b/addons/event_moodle/event_moodle.py index 5c7373d1adb..730eabdfc02 100644 --- a/addons/event_moodle/event_moodle.py +++ b/addons/event_moodle/event_moodle.py @@ -24,7 +24,6 @@ import xmlrpclib import string import time import random -from random import sample from openerp.tools.translate import _ class event_moodle(osv.osv): @@ -123,7 +122,7 @@ class event_moodle(osv.osv): """ rand = string.ascii_letters + string.digits length = 8 - passwd = ''.join(sample(rand, length)) + passwd = ''.join(random.SystemRandom().sample(rand, length)) passwd = passwd + '+' return passwd diff --git a/addons/pad/pad.py b/addons/pad/pad.py index 0eb92808053..18be38269b7 100644 --- a/addons/pad/pad.py +++ b/addons/pad/pad.py @@ -35,7 +35,7 @@ class pad_common(osv.osv_memory): pad["server"] = pad["server"].rstrip('/') # generate a salt s = string.ascii_uppercase + string.digits - salt = ''.join([s[random.randint(0, len(s) - 1)] for i in range(10)]) + salt = ''.join([s[random.SystemRandom().randint(0, len(s) - 1)] for i in range(10)]) #path # etherpad hardcodes pad id length limit to 50 path = '-%s-%s' % (self._name, salt) diff --git a/addons/share/wizard/share_wizard.py b/addons/share/wizard/share_wizard.py index 41ccf0bead5..0920081baa8 100644 --- a/addons/share/wizard/share_wizard.py +++ b/addons/share/wizard/share_wizard.py @@ -47,7 +47,7 @@ DOMAIN_ALL = [(1, '=', 1)] # A good selection of easy to read password characters (e.g. no '0' vs 'O', etc.) RANDOM_PASS_CHARACTERS = 'aaaabcdeeeefghjkmnpqrstuvwxyzAAAABCDEEEEFGHJKLMNPQRSTUVWXYZ23456789' def generate_random_pass(): - return ''.join(random.sample(RANDOM_PASS_CHARACTERS,10)) + return ''.join(random.SystemRandom().sample(RANDOM_PASS_CHARACTERS,10)) class share_wizard(osv.TransientModel): _name = 'share.wizard' diff --git a/addons/survey/wizard/survey_send_invitation.py b/addons/survey/wizard/survey_send_invitation.py index 177815c24b5..e2304811d82 100644 --- a/addons/survey/wizard/survey_send_invitation.py +++ b/addons/survey/wizard/survey_send_invitation.py @@ -20,7 +20,7 @@ ############################################################################## import time -from random import choice +import random import string import os import datetime @@ -51,7 +51,7 @@ class survey_send_invitation(osv.osv_memory): def genpasswd(self): chars = string.letters + string.digits - return ''.join([choice(chars) for i in range(6)]) + return ''.join([random.SystemRandom().choice(chars) for i in range(6)]) def default_get(self, cr, uid, fields_list, context=None): if context is None: From b4de311b0c04d9ac4e576a7d72e47fe48ca5e405 Mon Sep 17 00:00:00 2001 From: Olivier Dony Date: Wed, 29 Jul 2015 13:48:12 +0200 Subject: [PATCH 3/3] [FIX] auth_crypt: use system random number generator Switch to system random as number generator instead of the default PRNG, which is not recommended for generating security-related values such as unique tokens. (Complements parent commit) Closes #7761 --- addons/auth_crypt/auth_crypt.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/addons/auth_crypt/auth_crypt.py b/addons/auth_crypt/auth_crypt.py index 9724b511a05..3aac70c1a59 100644 --- a/addons/auth_crypt/auth_crypt.py +++ b/addons/auth_crypt/auth_crypt.py @@ -11,7 +11,7 @@ import hashlib import hmac import logging -from random import sample +import random from string import ascii_letters, digits import openerp @@ -28,7 +28,7 @@ res_users.USER_PRIVATE_FIELDS.append('password_crypt') def gen_salt(length=8, symbols=None): if symbols is None: symbols = ascii_letters + digits - return ''.join(sample(symbols, length)) + return ''.join(random.SystemRandom().sample(symbols, length)) def md5crypt( raw_pw, salt, magic=magic_md5 ): """ md5crypt FreeBSD crypt(3) based on but different from md5