diff options
author | Olaf Conradi <olaf@conradi.org> | 2018-04-13 10:32:01 +0200 |
---|---|---|
committer | Pieter Ennes <pieter@ennes.nl> | 2018-04-13 10:32:01 +0200 |
commit | d21fd53e13c044ad034694ee93e97eb7c4aac101 (patch) | |
tree | 9b8753ba52e5a4f1e52d2ea0a4cfc25d01edbf68 | |
parent | d49b9f02a821dca920c89b24540485da3b96bf1e (diff) | |
download | oauthlib-d21fd53e13c044ad034694ee93e97eb7c4aac101.tar.gz |
Use secrets module in Python 3.6 and later (#533)
The secrets module should be used for generating cryptographically
strong random numbers suitable for managing data such as passwords,
account authentication, security tokens, and related secrets.
In particularly, secrets should be used in preference to the default
pseudo-random number generator in the random module, which is
designed for modelling and simulation, not security or cryptography.
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | docs/oauth1/security.rst | 12 | ||||
-rw-r--r-- | oauthlib/common.py | 11 |
3 files changed, 16 insertions, 8 deletions
@@ -28,3 +28,4 @@ Joel Stevenson Brendan McCollam Jonathan Huot Pieter Ennes +Olaf Conradi diff --git a/docs/oauth1/security.rst b/docs/oauth1/security.rst index a1432a9..df1e2a0 100644 --- a/docs/oauth1/security.rst +++ b/docs/oauth1/security.rst @@ -16,11 +16,13 @@ A few important facts regarding OAuth security * **Tokens must be random**, OAuthLib provides a method for generating secure tokens and it's packed into ``oauthlib.common.generate_token``, - use it. If you decide to roll your own, use ``random.SystemRandom`` - which is based on ``os.urandom`` rather than the default ``random`` - based on the effecient but not truly random Mersenne Twister. - Predictable tokens allow attackers to bypass virtually all defences - OAuth provides. + use it. If you decide to roll your own, use ``secrets.SystemRandom`` + for Python 3.6 and later. The ``secrets`` module is designed for + generating cryptographically strong random numbers. For earlier versions + of Python, use ``random.SystemRandom`` which is based on ``os.urandom`` + rather than the default ``random`` based on the effecient but not truly + random Mersenne Twister. Predictable tokens allow attackers to bypass + virtually all defences OAuth provides. * **Timing attacks are real** and more than possible if you host your application inside a shared datacenter. Ensure all ``validate_`` methods diff --git a/oauthlib/common.py b/oauthlib/common.py index afcc09c..f25656f 100644 --- a/oauthlib/common.py +++ b/oauthlib/common.py @@ -11,12 +11,17 @@ from __future__ import absolute_import, unicode_literals import collections import datetime import logging -import random import re import sys import time try: + from secrets import randbits + from secrets import SystemRandom +except ImportError: + from random import getrandbits as randbits + from random import SystemRandom +try: from urllib import quote as _quote from urllib import unquote as _unquote from urllib import urlencode as _urlencode @@ -202,7 +207,7 @@ def generate_nonce(): .. _`section 3.2.1`: https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01#section-3.2.1 .. _`section 3.3`: https://tools.ietf.org/html/rfc5849#section-3.3 """ - return unicode_type(unicode_type(random.getrandbits(64)) + generate_timestamp()) + return unicode_type(unicode_type(randbits(64)) + generate_timestamp()) def generate_timestamp(): @@ -225,7 +230,7 @@ def generate_token(length=30, chars=UNICODE_ASCII_CHARACTER_SET): and entropy when generating the random characters is important. Which is why SystemRandom is used instead of the default random.choice method. """ - rand = random.SystemRandom() + rand = SystemRandom() return ''.join(rand.choice(chars) for x in range(length)) |