kallithea Files · CONTRIBUTORS

Files @ 9a02f9ef28d7

Branch filter:

Location: kallithea/CONTRIBUTORS

9a02f9ef28d7 3.2 KiB text/plain Show Annotation Show as Raw Download as Raw

Mads Kiilerich

utils: make API key generator more random

The API key generator abused temporary filenames in what seems to be an attempt
of creating keys that unambiguously specified the user and thus were unique
across users. A final hashing did however remove that property.

More importantly, tempfile is not documented to use secure random numbers ...
and it only uses 6 characters, giving approximately 36 bits of entropy.

Instead, use the cryptographically secure os.urandom directly to generate keys
with the same length but with the full 160 bits of entropy.

Reported and fixed by Andrew Bartlett.

List of contributors to Kallithea project:
    Marcin Kuźmiński <marcin@python-works.com>
    Lukasz Balcerzak <lukaszbalcerzak@gmail.com>
    Jason Harris <jason@jasonfharris.com>
    Thayne Harbaugh  <thayne@fusionio.com>
    cejones <>
    Thomas Waldmann <tw-public@gmx.de>
    Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it>
    Dmitri Kuznetsov <>
    Jared Bunting <jared.bunting@peachjean.com>
    Steve Romanow <slestak989@gmail.com>
    Augosto Hermann <augusto.herrmann@planejamento.gov.br>    
    Ankit Solanki <ankit.solanki@gmail.com>    
    Liad Shani <liadff@gmail.com>
    Les Peabody <lpeabody@gmail.com>
    Jonas Oberschweiber <jonas.oberschweiber@d-velop.de>
    Matt Zuba <matt.zuba@goodwillaz.org>
    Aras Pranckevicius <aras@unity3d.com>
    Tony Bussieres <t.bussieres@gmail.com>
    Erwin Kroon <e.kroon@smartmetersolutions.nl>
    nansenat16 <nansenat16@null.tw>
    Vincent Duvert <vincent@duvert.net>
    Takumi IINO <trot.thunder@gmail.com>
    Indra Talip <indra.talip@gmail.com>
    James Rhodes <jrhodes@redpointsoftware.com.au>
    Dominik Ruf <dominikruf@gmail.com>
    xpol <xpolife@gmail.com>
    Vincent Caron <vcaron@bearstech.com>
    Zachary Auclair <zach101@gmail.com>
    Stefan Engel <mail@engel-stefan.de>
    Andrew Shadura <andrew@shadura.me>
    Raoul Thill <raoul.thill@gmail.com>
    Philip Jameson <philip.j@hostdime.com>
    Mads Kiilerich <madski@unity3d.com>
    Dan Sheridan <djs@adelard.com>
    Dennis Brakhane <brakhane@googlemail.com>
    Simon Lopez <simon.lopez@slopez.org>
    Jonathan Sternberg <jonathansternberg@gmail.com>
    Grzegorz Rożniecki <xaerxess@gmail.com>
    Andrew Kesterson <andrew@aklabs.net>
    David A. Sjøen <david.sjoen@westcon.no>
    Jelmer Vernooĳ <jelmer@samba.org>
    larikale
    SteveCohen
    RhodeCode GmbH
    Sebastian Kreutzberger <sebastian@rhodecode.com>
    thomas <thomas@rhodecode.com>
    Bradley M. Kuhn <bkuhn@sfconservancy.org>
    Sean Farley <sean.michael.farley@gmail.com>
    Martin Vium <martinv@unity3d.com>
    Daniel Anderson <daniel@dattrix.com>
    Travis Burtrum <android@moparisthebest.com>
    Calinou <calinou@opmbx.org>
    Christian Oyarzun <oyarzun@gmail.com>
    Denis Blanchette <dblanchette@coveo.com>
    duanhongyi <duanhongyi@doopai.com>
    Henrik Stuart <hg@hstuart.dk>
    Ingo von Borstel <kallithea@planetmaker.de>
    Jan Heylen <heyleke@gmail.com>
    Jim Hague <jim.hague@acm.org>
    Joseph Rivera <rivera.d.joseph@gmail.com>
    Kazunari Kobayashi <kobanari@nifty.com>
    Matt Fellows <kallithea@matt-fellows.me.uk>
    Max Roman <max@choloclos.se>
    Michael Pohl <michael@mipapo.de>
    Michael V. DePalatis <mike@depalatis.net>
    Michal Čihař <michal@cihar.com>
    Morten Skaaning <mortens@unity3d.com>
    Na'Tosha Bard <natosha@unity3d.com>
    Nick High <nick@silverchip.org>
    Niemand Jedermann <predatorix@web.de>
    Peter Vitt <petervitt@web.de>
    Sam Jaques <sam.jaques@me.com>
    Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
    Tuux <tuxa@galaxie.eu.org>
    Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
    Kevin Bullock <kbullock@ringworld.org>
    Marc Villetard <marc.villetard@gmail.com>
    Matthias Zilk <matthias.zilk@gmail.com>
    Tim Freund <tim@freunds.net>