mirror of
https://github.com/django/django.git
synced 2024-12-01 15:42:04 +01:00
Refs #27635 -- Removed fallback when SystemRandom() isn't available that doesn't work.
Fallback was untested and likely never triggered.
This commit is contained in:
parent
5402061c80
commit
068005a349
@ -4,21 +4,10 @@ Django's standard crypto functions and utilities.
|
||||
import hashlib
|
||||
import hmac
|
||||
import random
|
||||
import time
|
||||
|
||||
from django.conf import settings
|
||||
from django.utils.encoding import force_bytes
|
||||
|
||||
# Use the system PRNG if possible
|
||||
try:
|
||||
random = random.SystemRandom()
|
||||
using_sysrandom = True
|
||||
except NotImplementedError:
|
||||
import warnings
|
||||
warnings.warn('A secure pseudo-random number generator is not available '
|
||||
'on your system. Falling back to Mersenne Twister.')
|
||||
using_sysrandom = False
|
||||
|
||||
|
||||
def salted_hmac(key_salt, value, secret=None):
|
||||
"""
|
||||
@ -54,18 +43,6 @@ def get_random_string(length=12,
|
||||
The default length of 12 with the a-z, A-Z, 0-9 character set returns
|
||||
a 71-bit value. log_2((26+26+10)^12) =~ 71 bits
|
||||
"""
|
||||
if not using_sysrandom:
|
||||
# This is ugly, and a hack, but it makes things better than
|
||||
# the alternative of predictability. This re-seeds the PRNG
|
||||
# using a value that is hard for an attacker to predict, every
|
||||
# time a random string is required. This may change the
|
||||
# properties of the chosen random sequence slightly, but this
|
||||
# is better than absolute predictability.
|
||||
random.seed(
|
||||
hashlib.sha256(
|
||||
('%s%s%s' % (random.getstate(), time.time(), settings.SECRET_KEY)).encode()
|
||||
).digest()
|
||||
)
|
||||
return ''.join(random.choice(allowed_chars) for i in range(length))
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user