Module: tools Branch: master Commit: 617f67bdeafa9e686c4378160ea912e8eaf2d00c URL: https://source.winehq.org/git/tools.git/?a=commit;h=617f67bdeafa9e686c437816... Author: Francois Gouget <fgouget(a)codeweavers.com> Date: Tue Feb 4 15:51:42 2020 +0100 testbot/web: Use a cryptographically secure random number generator. Session ids should really be hard to guess so a user cannot take over another's session. This also fixes a bug where the session id length could be less than 32 characters. Note: * This introduces a dependency on the Bytes::Random::Secure Perl module. Signed-off-by: Francois Gouget <fgouget(a)codeweavers.com> Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> --- testbot/doc/INSTALL.txt | 1 + testbot/lib/WineTestBot/CGI/Sessions.pm | 8 +++----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/testbot/doc/INSTALL.txt b/testbot/doc/INSTALL.txt index 456ffe6..4d430d9 100644 --- a/testbot/doc/INSTALL.txt +++ b/testbot/doc/INSTALL.txt @@ -6,6 +6,7 @@ Dependencies: - MySQL - Perl DBD and DBI::mysql modules - Sendmail and Procmail +- Bytes::Random::Secure (libbytes-random-secure-perl) - Sys::Virt (libsys-virt-perl, see http://libvirt.org/) - Image::Magick (perlmagick) - Optional: IO::Socket::IP (for IPv6, libio-socket-ip-perl) diff --git a/testbot/lib/WineTestBot/CGI/Sessions.pm b/testbot/lib/WineTestBot/CGI/Sessions.pm index 380d4b8..0afe6c9 100644 --- a/testbot/lib/WineTestBot/CGI/Sessions.pm +++ b/testbot/lib/WineTestBot/CGI/Sessions.pm @@ -56,7 +56,9 @@ use WineTestBot::WineTestBotObjects; our @ISA = qw(WineTestBot::WineTestBotCollection); our @EXPORT = qw(CreateSessions DeleteSessions NewSession); +use Bytes::Random::Secure; use CGI::Cookie; + use ObjectModel::BasicPropertyDescriptor; use ObjectModel::ItemrefPropertyDescriptor; use WineTestBot::Users; @@ -123,11 +125,7 @@ sub NewSession($$$) my $Id; while (defined($Existing)) { - $Id = ""; - foreach my $i (1..8) - { - $Id .= sprintf("%lx", int(rand(2 ** 16))); - } + $Id = Bytes::Random::Secure::random_bytes_hex(16); $Existing = $self->GetItem($Id); } $Session->Id($Id);