Security: Email activation links are insecure

[GoogleCodeExporter]

The api.activation_required function trims the randomly generated UUID back
to an insecure 4 digits:

@admin_required
def activation_create(api_user, nick, type, content):
  activation_ref = Activation(
      actor=nick,
      content=content,
      code=util.generate_uuid()[:4],
      type=type,
      )
  activation_ref.put()
  return activation_ref

This means that the entire keyspace is 64k which is easily brute forceable.
Ideally the entire UUID would be used by dropping the [:4] above, but this
may create line wrapping problems in some email clients.

Original issue reported on code.google.com by s...@samj.net on 16 Mar 2009 at 5:20

[GoogleCodeExporter]

sounds pretty reasonable, I'd still want to limit the length a bit, maybe 10ish 
digits

Original comment by andyster on 22 Apr 2009 at 11:06

• Changed state: Accepted
• Added labels: Security