[前][次][番号順一覧][スレッド一覧]

ruby-changes:39667

From: nobu <ko1@a...>
Date: Thu, 3 Sep 2015 21:12:33 +0900 (JST)
Subject: [ruby-changes:39667] nobu:r51748 (trunk): session.rb: SHA512

nobu	2015-09-03 21:12:14 +0900 (Thu, 03 Sep 2015)

  New Revision: 51748

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=51748

  Log:
    session.rb: SHA512
    
    * lib/cgi/session.rb (create_new_id): use SHA512 instead of MD5.
      pointed out by SARWAR JAHAN.

  Modified files:
    trunk/ChangeLog
    trunk/lib/cgi/session.rb
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 51747)
+++ ChangeLog	(revision 51748)
@@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Thu Sep  3 21:12:12 2015  Nobuyoshi Nakada  <nobu@r...>
+
+	* lib/cgi/session.rb (create_new_id): use SHA512 instead of MD5.
+	  pointed out by SARWAR JAHAN.
+
 Thu Sep  3 20:29:18 2015  Koichi Sasada  <ko1@a...>
 
 	* gc.c (rb_raw_obj_info): iseq->body->location.first_lineno is Fixnum.
Index: lib/cgi/session.rb
===================================================================
--- lib/cgi/session.rb	(revision 51747)
+++ lib/cgi/session.rb	(revision 51748)
@@ -163,24 +163,26 @@ class CGI https://github.com/ruby/ruby/blob/trunk/lib/cgi/session.rb#L163
 
     # Create a new session id.
     #
-    # The session id is an MD5 hash based upon the time,
-    # a random number, and a constant string.  This routine
-    # is used internally for automatically generated
-    # session ids.
+    # The session id is a secure random number by SecureRandom
+    # if possible, otherwise an SHA512 hash based upon the time,
+    # a random number, and a constant string.  This routine is
+    # used internally for automatically generated session ids.
     def create_new_id
       require 'securerandom'
       begin
+        # by OpenSSL, or system provided entropy pool
         session_id = SecureRandom.hex(16)
       rescue NotImplementedError
-        require 'digest/md5'
-        md5 = Digest::MD5::new
+        # never happens on modern systems
+        require 'digest'
+        d = Digest('SHA512').new
         now = Time::now
-        md5.update(now.to_s)
-        md5.update(String(now.usec))
-        md5.update(String(rand(0)))
-        md5.update(String($$))
-        md5.update('foobar')
-        session_id = md5.hexdigest
+        d.update(now.to_s)
+        d.update(String(now.usec))
+        d.update(String(rand(0)))
+        d.update(String($$))
+        d.update('foobar')
+        session_id = d.hexdigest[0, 32]
       end
       session_id
     end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]