sastrabahu / jaikuengine

Automatically exported from code.google.com/p/jaikuengine
Apache License 2.0
1 stars 0 forks source link

Security: Email activation links are insecure #46

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
The api.activation_required function trims the randomly generated UUID back
to an insecure 4 digits:

@admin_required
def activation_create(api_user, nick, type, content):
  activation_ref = Activation(
      actor=nick,
      content=content,
      code=util.generate_uuid()[:4],
      type=type,
      )
  activation_ref.put()
  return activation_ref

This means that the entire keyspace is 64k which is easily brute forceable.
Ideally the entire UUID would be used by dropping the [:4] above, but this
may create line wrapping problems in some email clients.

Original issue reported on code.google.com by s...@samj.net on 16 Mar 2009 at 5:20

GoogleCodeExporter commented 8 years ago
sounds pretty reasonable, I'd still want to limit the length a bit, maybe 10ish 
digits

Original comment by andyster on 22 Apr 2009 at 11:06