0
0
mirror of https://github.com/django/django.git synced 2024-12-01 15:42:04 +01:00

Refs #27635 -- Removed fallback when SystemRandom() isn't available that doesn't work.

Fallback was untested and likely never triggered.
This commit is contained in:
Nick Pope 2019-05-15 21:54:27 +01:00 committed by Mariusz Felisiak
parent 5402061c80
commit 068005a349

View File

@ -4,21 +4,10 @@ Django's standard crypto functions and utilities.
import hashlib
import hmac
import random
import time
from django.conf import settings
from django.utils.encoding import force_bytes
# Use the system PRNG if possible
try:
random = random.SystemRandom()
using_sysrandom = True
except NotImplementedError:
import warnings
warnings.warn('A secure pseudo-random number generator is not available '
'on your system. Falling back to Mersenne Twister.')
using_sysrandom = False
def salted_hmac(key_salt, value, secret=None):
"""
@ -54,18 +43,6 @@ def get_random_string(length=12,
The default length of 12 with the a-z, A-Z, 0-9 character set returns
a 71-bit value. log_2((26+26+10)^12) =~ 71 bits
"""
if not using_sysrandom:
# This is ugly, and a hack, but it makes things better than
# the alternative of predictability. This re-seeds the PRNG
# using a value that is hard for an attacker to predict, every
# time a random string is required. This may change the
# properties of the chosen random sequence slightly, but this
# is better than absolute predictability.
random.seed(
hashlib.sha256(
('%s%s%s' % (random.getstate(), time.time(), settings.SECRET_KEY)).encode()
).digest()
)
return ''.join(random.choice(allowed_chars) for i in range(length))