Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SystemRandom is not imported correctly #486

Closed
shelman opened this issue Feb 9, 2018 · 1 comment · Fixed by #487
Closed

SystemRandom is not imported correctly #486

shelman opened this issue Feb 9, 2018 · 1 comment · Fixed by #487
Labels
bug security

Comments

@shelman
Copy link

shelman commented Feb 9, 2018

In src/oic/__init__.py, random.SystemRandom is imported via the following code:

try:
    import random.SystemRandom as rnd
except ImportError:
    import random as rnd

In both python2 and python3 this yields an import error and falls back to the random package.

I believe the fix is to change the import to from random import SystemRandom as rnd. The import works locally for me but I am having some trouble with the unit tests and wanted to check in before opening a pull request.
@schlenk
Copy link
Collaborator

schlenk commented Feb 9, 2018

Thats bad. Yes, PR welcome. That shouldn't break any tests.

@schlenk schlenk mentioned this issue Feb 12, 2018
Merged
tpazderka pushed a commit that referenced this issue Feb 12, 2018
@schlenk @tpazderka
Fix broken import of SystemRandom (#487)
bb9f53d 
* Fix randomness for rndstr() and unreserved()

The import for SystemRandom was broken, so rndstr() got its randomness from the non-CSPRNG random.Random().

We now use secrets.choice() when available, otherwise fallback to SystemRandom and warn if only the Mersenne-Twister based random.Random() is available.

It is probably a good idea to migrate to secrets.token_* APIs for rndstr() and unreserved() in the future.

Close #486
andrewkrug pushed a commit to mozilla-iam/pyoidc that referenced this issue Jun 6, 2019
@schlenk @andrewkrug
Fix broken import of SystemRandom (CZ-NIC#487)
96bede6 
* Fix randomness for rndstr() and unreserved()

The import for SystemRandom was broken, so rndstr() got its randomness from the non-CSPRNG random.Random().

We now use secrets.choice() when available, otherwise fallback to SystemRandom and warn if only the Mersenne-Twister based random.Random() is available.

It is probably a good idea to migrate to secrets.token_* APIs for rndstr() and unreserved() in the future.

Close CZ-NIC#486
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix broken import of SystemRandom schlenk/pyoidc
2 participants
@shelman @schlenk