Files @ 9a02f9ef28d7
Branch filter:

Location: kallithea/init.d/kallithea-daemon-debian

9a02f9ef28d7 1.7 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
utils: make API key generator more random

The API key generator abused temporary filenames in what seems to be an attempt
of creating keys that unambiguously specified the user and thus were unique
across users. A final hashing did however remove that property.

More importantly, tempfile is not documented to use secure random numbers ...
and it only uses 6 characters, giving approximately 36 bits of entropy.

Instead, use the cryptographically secure os.urandom directly to generate keys
with the same length but with the full 160 bits of entropy.

Reported and fixed by Andrew Bartlett.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/sh -e
########################################
#### THIS IS A DEBIAN INIT.D SCRIPT ####
########################################
 
### BEGIN INIT INFO
# Provides:          kallithea          
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts instance of kallithea
# Description:       starts instance of kallithea using start-stop-daemon
### END INIT INFO
 
APP_NAME="kallithea"
APP_HOMEDIR="opt"
APP_PATH="/$APP_HOMEDIR/$APP_NAME"
 
CONF_NAME="production.ini"
 
PID_PATH="$APP_PATH/$APP_NAME.pid"
LOG_PATH="$APP_PATH/$APP_NAME.log"
 
PYTHON_PATH="/$APP_HOMEDIR/$APP_NAME-venv"
 
RUN_AS="root"
 
DAEMON="$PYTHON_PATH/bin/paster"
 
DAEMON_OPTS="serve --daemon \
 --user=$RUN_AS \
 --group=$RUN_AS \
 --pid-file=$PID_PATH \
 --log-file=$LOG_PATH  $APP_PATH/$CONF_NAME"
 
 
start() {
  echo "Starting $APP_NAME"
  PYTHON_EGG_CACHE="/tmp" start-stop-daemon -d $APP_PATH \
      --start --quiet \
      --pidfile $PID_PATH \
      --user $RUN_AS \
      --exec $DAEMON -- $DAEMON_OPTS
}
 
stop() {
  echo "Stopping $APP_NAME"
  start-stop-daemon -d $APP_PATH \
      --stop --quiet \
      --pidfile $PID_PATH || echo "$APP_NAME - Not running!"
 
  if [ -f $PID_PATH ]; then
    rm $PID_PATH
  fi
}
 
status() {
  echo -n "Checking status of $APP_NAME ... "
  pid=`cat $PID_PATH`
  status=`ps ax | grep $pid | grep -ve grep`
  if [ "$?" -eq 0 ]; then
    echo "running"
  else
    echo "NOT running"
  fi
}
 
case "$1" in
  status)
   status
    ;;
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    echo "Restarting $APP_NAME"
    ### stop ###
    stop
    wait
    ### start ###
    start
    ;;
  *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.