kallithea Files · MANIFEST.in

Files @ 9a02f9ef28d7

Branch filter:

Location: kallithea/MANIFEST.in - annotation

9a02f9ef28d7 856 B text/plain Show Source Show as Raw Download as Raw

Mads Kiilerich

utils: make API key generator more random

The API key generator abused temporary filenames in what seems to be an attempt
of creating keys that unambiguously specified the user and thus were unique
across users. A final hashing did however remove that property.

More importantly, tempfile is not documented to use secure random numbers ...
and it only uses 6 characters, giving approximately 36 bits of entropy.

Instead, use the cryptographically secure os.urandom directly to generate keys
with the same length but with the full 160 bits of entropy.

Reported and fixed by Andrew Bartlett.

ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
2d7a94f3eaae
0e6035a85980
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
7e5f8c12a3fc
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef
ff08d3cf9aef

include           Apache-License-2.0.txt
include           CONTRIBUTORS
include           COPYING
include           LICENSE-MERGELY.html
include           LICENSE.md
include           MIT-Permissive-License.txt
include           README.rst
include           development.ini
recursive-include docs *
recursive-include init.d *
include           kallithea/bin/ldap_sync.conf
include           kallithea/bin/template.ini.mako
include           kallithea/config/deployment.ini_tmpl
recursive-include kallithea/i18n *
recursive-include kallithea/lib/dbmigrate *.py_tmpl README migrate.cfg
recursive-include kallithea/public *
recursive-include kallithea/templates *
recursive-include kallithea/tests/fixtures *
recursive-include kallithea/tests/scripts *
include           kallithea/tests/vcs/aconfig
include           production.ini
include           test.ini