From 068005a349f80b3c6c724cc7a2d0b0c44413f463 Mon Sep 17 00:00:00 2001 From: Nick Pope Date: Wed, 15 May 2019 21:54:27 +0100 Subject: [PATCH] Refs #27635 -- Removed fallback when SystemRandom() isn't available that doesn't work. Fallback was untested and likely never triggered. --- django/utils/crypto.py | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/django/utils/crypto.py b/django/utils/crypto.py index 61d02b65cf..b1daa9be37 100644 --- a/django/utils/crypto.py +++ b/django/utils/crypto.py @@ -4,21 +4,10 @@ Django's standard crypto functions and utilities. import hashlib import hmac import random -import time from django.conf import settings from django.utils.encoding import force_bytes -# Use the system PRNG if possible -try: - random = random.SystemRandom() - using_sysrandom = True -except NotImplementedError: - import warnings - warnings.warn('A secure pseudo-random number generator is not available ' - 'on your system. Falling back to Mersenne Twister.') - using_sysrandom = False - def salted_hmac(key_salt, value, secret=None): """ @@ -54,18 +43,6 @@ def get_random_string(length=12, The default length of 12 with the a-z, A-Z, 0-9 character set returns a 71-bit value. log_2((26+26+10)^12) =~ 71 bits """ - if not using_sysrandom: - # This is ugly, and a hack, but it makes things better than - # the alternative of predictability. This re-seeds the PRNG - # using a value that is hard for an attacker to predict, every - # time a random string is required. This may change the - # properties of the chosen random sequence slightly, but this - # is better than absolute predictability. - random.seed( - hashlib.sha256( - ('%s%s%s' % (random.getstate(), time.time(), settings.SECRET_KEY)).encode() - ).digest() - ) return ''.join(random.choice(allowed_chars) for i in range(length))