Philippe Makowski [2013-10-18 22:02] :
> but it let the other CVE-2013-4346 about _check_signature() ignoring the
> nonce value when validating signed urls
>
> any idea ?
maybe something like that
:https://github.com/pmakowski/python-oauth2/commit/7002422bb39bc137713933bc2e55251853830fcc
But I
Jakub Wilk [2013-10-09 08:40] :
> Yeah, the oss-sec mail is about using a RNG that is not suitable for
> cryptographic purposes. This can be easily fixed by using
> "random.SystemRandom" (which uses /dev/urandom) instead of the "random"
> module directly (which has a Mersenne Twister under the hoo
[Disclaimer: I don't know anything about OAuth, or python-oauth2.]
* Paul Wise , 2013-10-09, 07:41:
On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:
do you think that for fixing that, using
return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for i in
xrange(length))
Le 9 oct. 2013 01:42, "Paul Wise" a écrit :
>
> On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:
>
> > do you think that for fixing that, using
> >
> > return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for
> > i in xrange(length))
> ...
> > would be an acceptable fix ?
>
On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:
> do you think that for fixing that, using
>
> return ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for
> i in xrange(length))
...
> would be an acceptable fix ?
No, from the announcement of this issue on oss-sec:
... the Py
5 matches
Mail list logo
