ruby-changes:39667
From: nobu <ko1@a...>
Date: Thu, 3 Sep 2015 21:12:33 +0900 (JST)
Subject: [ruby-changes:39667] nobu:r51748 (trunk): session.rb: SHA512
nobu 2015-09-03 21:12:14 +0900 (Thu, 03 Sep 2015) New Revision: 51748 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=51748 Log: session.rb: SHA512 * lib/cgi/session.rb (create_new_id): use SHA512 instead of MD5. pointed out by SARWAR JAHAN. Modified files: trunk/ChangeLog trunk/lib/cgi/session.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 51747) +++ ChangeLog (revision 51748) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Thu Sep 3 21:12:12 2015 Nobuyoshi Nakada <nobu@r...> + + * lib/cgi/session.rb (create_new_id): use SHA512 instead of MD5. + pointed out by SARWAR JAHAN. + Thu Sep 3 20:29:18 2015 Koichi Sasada <ko1@a...> * gc.c (rb_raw_obj_info): iseq->body->location.first_lineno is Fixnum. Index: lib/cgi/session.rb =================================================================== --- lib/cgi/session.rb (revision 51747) +++ lib/cgi/session.rb (revision 51748) @@ -163,24 +163,26 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/session.rb#L163 # Create a new session id. # - # The session id is an MD5 hash based upon the time, - # a random number, and a constant string. This routine - # is used internally for automatically generated - # session ids. + # The session id is a secure random number by SecureRandom + # if possible, otherwise an SHA512 hash based upon the time, + # a random number, and a constant string. This routine is + # used internally for automatically generated session ids. def create_new_id require 'securerandom' begin + # by OpenSSL, or system provided entropy pool session_id = SecureRandom.hex(16) rescue NotImplementedError - require 'digest/md5' - md5 = Digest::MD5::new + # never happens on modern systems + require 'digest' + d = Digest('SHA512').new now = Time::now - md5.update(now.to_s) - md5.update(String(now.usec)) - md5.update(String(rand(0))) - md5.update(String($$)) - md5.update('foobar') - session_id = md5.hexdigest + d.update(now.to_s) + d.update(String(now.usec)) + d.update(String(rand(0))) + d.update(String($$)) + d.update('foobar') + session_id = d.hexdigest[0, 32] end session_id end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/