Francois Gouget : testbot/web: Use a cryptographically secure random number generator. - wine-commits

4 Feb 2020

Module: tools
Branch: master
Commit: 617f67bdeafa9e686c4378160ea912e8eaf2d00c
URL:    https://source.winehq.org/git/tools.git/?a=commit;h=617f67bdeafa9e686c437816...
Author: Francois Gouget fgouget@codeweavers.com
Date:   Tue Feb  4 15:51:42 2020 +0100
testbot/web: Use a cryptographically secure random number generator.
Session ids should really be hard to guess so a user cannot take over
another's session.
This also fixes a bug where the session id length could be less than
32 characters.
Note:
* This introduces a dependency on the Bytes::Random::Secure Perl
  module.
Signed-off-by: Francois Gouget fgouget@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
testbot/doc/INSTALL.txt                 | 1 +
 testbot/lib/WineTestBot/CGI/Sessions.pm | 8 +++-----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/testbot/doc/INSTALL.txt b/testbot/doc/INSTALL.txt
index 456ffe6..4d430d9 100644
--- a/testbot/doc/INSTALL.txt
+++ b/testbot/doc/INSTALL.txt
@@ -6,6 +6,7 @@ Dependencies:
 - MySQL
 - Perl DBD and DBI::mysql modules
 - Sendmail and Procmail
+- Bytes::Random::Secure (libbytes-random-secure-perl)
 - Sys::Virt (libsys-virt-perl, see http://libvirt.org/)
 - Image::Magick (perlmagick)
 - Optional: IO::Socket::IP (for IPv6, libio-socket-ip-perl)
diff --git a/testbot/lib/WineTestBot/CGI/Sessions.pm b/testbot/lib/WineTestBot/CGI/Sessions.pm
index 380d4b8..0afe6c9 100644
--- a/testbot/lib/WineTestBot/CGI/Sessions.pm
+++ b/testbot/lib/WineTestBot/CGI/Sessions.pm
@@ -56,7 +56,9 @@ use WineTestBot::WineTestBotObjects;
 our @ISA = qw(WineTestBot::WineTestBotCollection);
 our @EXPORT = qw(CreateSessions DeleteSessions NewSession);
+use Bytes::Random::Secure;
 use CGI::Cookie;
+
 use ObjectModel::BasicPropertyDescriptor;
 use ObjectModel::ItemrefPropertyDescriptor;
 use WineTestBot::Users;
@@ -123,11 +125,7 @@ sub NewSession($$$)
   my $Id;
   while (defined($Existing))
   {
-    $Id = "";
-    foreach my $i (1..8)
-    {
-      $Id .= sprintf("%lx", int(rand(2 ** 16)));
-    }
+    $Id = Bytes::Random::Secure::random_bytes_hex(16);
     $Existing = $self->GetItem($Id);
   }
   $Session->Id($Id);

    