peterclink / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

Python library nonce generation is insecure #241

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
The Python library nonce generation uses the following code:

    return ''.join([str(random.randint(0, 9)) for i in range(length)])

This is not terribly secure, as it relies on a non cryptographically secure 
PRNG with an unknown seed.

Instead, nonce generation should be something like this:

    return os.urandom(8).encode('base64'))

Original issue reported on code.google.com by arach...@notdot.net on 15 Oct 2013 at 2:12