[tor-bugs] #31967 [Circumvention/BridgeDB]: BridgeDB Server uses insecure pseudorandom generator for selecting cached captcha
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Feb 20 10:41:25 UTC 2020
#31967: BridgeDB Server uses insecure pseudorandom generator for selecting cached
captcha
------------------------------------+-----------------------------------
Reporter: willbarr | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Circumvention/BridgeDB | Version: sbws: unspecified
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------+-----------------------------------
Comment (by agix):
Subject: [PATCH] Fix for #31967. Changed pseudo-random generator to
random.SystemRandom.choice()
---
bridgedb/captcha.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bridgedb/captcha.py b/bridgedb/captcha.py
index b66972c..485974b 100644
--- a/bridgedb/captcha.py
+++ b/bridgedb/captcha.py
@@ -386,7 +386,7 @@ class GimpCaptcha(Captcha):
and a challenge string (used for checking the client's solution).
"""
try:
imageFilename = random.choice(os.listdir(self.cacheDir))
+ imageFilename = random.SystemRandom().choice(os.listdir(self.cacheDir))
imagePath = os.path.join(self.cacheDir, imageFilename)
with open(imagePath) as imageFile:
self.image = imageFile.read()
--
2.17.1
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31967#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list