mattia / pagure

Forked from pagure 2 years ago
Clone

f92d52c Don't generate API keys with random.choice

1 file Authored by jcline 3 years ago, Committed by pingou 3 years ago,
    Don't generate API keys with random.choice
    
    Pagure uses pagure.lib.login.id_generator to generate API tokens, hook
    tokens, etc, which is backed by random.choice. random.choice is backed
    by the Mersenne Twister PRNG, which is *not* a CSPRNG and should never
    be used for any security-related purposes[0].
    
    Use the secrets API if it's available, and fall back to random backed by
    /dev/urandom.
    
    [0] https://docs.python.org/3/library/random.html
    
    Signed-off-by: Jeremy Cline <jcline@redhat.com>
    
        
file modified
+9 -2