From 66c217a98898fcb1509ecc5e282356acb7e103fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adolfo=20G=C3=B3mez=20Garc=C3=ADa?= Date: Fri, 10 May 2019 09:56:07 +0200 Subject: [PATCH] Backport of random fixes --- server/src/uds/REST/methods/login_logout.py | 2 +- server/src/uds/core/auths/auth.py | 4 ++-- server/src/uds/core/managers/CryptoManager.py | 2 +- server/src/uds/models/TicketStore.py | 6 ++---- .../osmanagers/LinuxOsManager/LinuxRandomPassOsManager.py | 2 +- .../osmanagers/WindowsOsManager/WinRandomPassOsManager.py | 2 +- server/src/uds/transports/NX/TSNXTransport.py | 2 +- server/src/uds/transports/RDP/TRDPTransport.py | 4 ++-- server/src/uds/transports/SPICE/TSPICETransport.py | 4 ++-- server/src/uds/transports/X2GO/TX2GOTransport.py | 4 ++-- server/src/uds/web/transformers.py | 3 ++- 11 files changed, 17 insertions(+), 18 deletions(-) diff --git a/server/src/uds/REST/methods/login_logout.py b/server/src/uds/REST/methods/login_logout.py index f74f59940..2d73769eb 100644 --- a/server/src/uds/REST/methods/login_logout.py +++ b/server/src/uds/REST/methods/login_logout.py @@ -78,7 +78,7 @@ class Login(Handler): if 'authId' not in self._params and 'authSmallName' not in self._params and 'auth' not in self._params: raise RequestError('Invalid parameters (no auth)') - scrambler = ''.join(random.choice(string.letters + string.digits) for _ in range(32)) # @UndefinedVariable + scrambler = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _ in range(32)) # @UndefinedVariable authId = self._params.get('authId', None) authSmallName = self._params.get('authSmallName', None) authName = self._params.get('auth', None) diff --git a/server/src/uds/core/auths/auth.py b/server/src/uds/core/auths/auth.py index 64ba782b1..189670ae7 100644 --- a/server/src/uds/core/auths/auth.py +++ b/server/src/uds/core/auths/auth.py @@ -53,7 +53,7 @@ from uds.models import User import logging import six -__updated__ = '2018-12-21' +__updated__ = '2019-05-10' logger = logging.getLogger(__name__) authLogger = logging.getLogger('authLog') @@ -70,7 +70,7 @@ def getUDSCookie(request, response=None, force=False): if 'uds' not in request.COOKIES: import random import string - cookie = ''.join(random.choice(string.letters + string.digits) for _ in range(32)) # @UndefinedVariable + cookie = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _ in range(32)) # @UndefinedVariable if response is not None: response.set_cookie('uds', cookie) request.COOKIES['uds'] = cookie diff --git a/server/src/uds/core/managers/CryptoManager.py b/server/src/uds/core/managers/CryptoManager.py index af94ca6f6..4a0d48e01 100644 --- a/server/src/uds/core/managers/CryptoManager.py +++ b/server/src/uds/core/managers/CryptoManager.py @@ -189,4 +189,4 @@ class CryptoManager(object): return six.text_type(uuid.uuid5(self._namespace, six.binary_type(obj))).lower() # uuid must return a lowercase uuid always?, just in case... :) def randomString(self, length=40): - return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(length)) + return ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(length)) diff --git a/server/src/uds/models/TicketStore.py b/server/src/uds/models/TicketStore.py index cf4a3bc6f..ccf65117f 100644 --- a/server/src/uds/models/TicketStore.py +++ b/server/src/uds/models/TicketStore.py @@ -44,7 +44,7 @@ import logging logger = logging.getLogger(__name__) -__updated__ = '2018-07-19' +__updated__ = '2019-05-10' class TicketStore(UUIDModel): @@ -77,9 +77,7 @@ class TicketStore(UUIDModel): @staticmethod def generateUuid(): - # more secure is this: - # ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(40)) - return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(40)) + return ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(40)) @staticmethod def create(data, validator=None, validity=DEFAULT_VALIDITY): diff --git a/server/src/uds/osmanagers/LinuxOsManager/LinuxRandomPassOsManager.py b/server/src/uds/osmanagers/LinuxOsManager/LinuxRandomPassOsManager.py index 6591d5ba5..3f0dd8aae 100644 --- a/server/src/uds/osmanagers/LinuxOsManager/LinuxRandomPassOsManager.py +++ b/server/src/uds/osmanagers/LinuxOsManager/LinuxRandomPassOsManager.py @@ -78,7 +78,7 @@ class LinuxRandomPassManager(LinuxOsManager): import string randomPass = service.recoverValue('linOsRandomPass') if randomPass is None: - randomPass = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(16)) + randomPass = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16)) service.storeValue('linOsRandomPass', randomPass) log.doLog(service, log.INFO, "Password set to \"{}\"".format(randomPass), log.OSMANAGER) diff --git a/server/src/uds/osmanagers/WindowsOsManager/WinRandomPassOsManager.py b/server/src/uds/osmanagers/WindowsOsManager/WinRandomPassOsManager.py index ab9acabc0..15c6372c5 100644 --- a/server/src/uds/osmanagers/WindowsOsManager/WinRandomPassOsManager.py +++ b/server/src/uds/osmanagers/WindowsOsManager/WinRandomPassOsManager.py @@ -62,7 +62,7 @@ class WinRandomPassManager(WindowsOsManager): import string randomPass = service.recoverValue('winOsRandomPass') if randomPass is None: - randomPass = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(16)) + randomPass = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16)) service.storeValue('winOsRandomPass', randomPass) log.doLog(service, log.INFO, "Password set to \"{}\"".format(randomPass), log.OSMANAGER) return randomPass diff --git a/server/src/uds/transports/NX/TSNXTransport.py b/server/src/uds/transports/NX/TSNXTransport.py index 00beae4aa..91efb04e2 100644 --- a/server/src/uds/transports/NX/TSNXTransport.py +++ b/server/src/uds/transports/NX/TSNXTransport.py @@ -194,7 +194,7 @@ class TSNXTransport(Transport): if self._useEmptyCreds is True: username, password = '', '' - tunpass = ''.join(random.choice(string.letters + string.digits) for _i in range(12)) + tunpass = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _i in range(12)) tunuser = TicketStore.create(tunpass) sshServer = self._tunnelServer diff --git a/server/src/uds/transports/RDP/TRDPTransport.py b/server/src/uds/transports/RDP/TRDPTransport.py index 190a8676c..a7642e98e 100644 --- a/server/src/uds/transports/RDP/TRDPTransport.py +++ b/server/src/uds/transports/RDP/TRDPTransport.py @@ -48,7 +48,7 @@ import logging import random import string -__updated__ = '2018-09-06' +__updated__ = '2019-05-10' logger = logging.getLogger(__name__) @@ -118,7 +118,7 @@ class TRDPTransport(BaseRDPTransport): width, height = self.screenSize.value.split('x') depth = self.colorDepth.value - tunpass = ''.join(random.choice(string.letters + string.digits) for _i in range(12)) + tunpass = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _i in range(12)) tunuser = TicketStore.create(tunpass) sshHost, sshPort = self.tunnelServer.value.split(':') diff --git a/server/src/uds/transports/SPICE/TSPICETransport.py b/server/src/uds/transports/SPICE/TSPICETransport.py index ac19407ea..00590e12b 100644 --- a/server/src/uds/transports/SPICE/TSPICETransport.py +++ b/server/src/uds/transports/SPICE/TSPICETransport.py @@ -47,7 +47,7 @@ import logging import random import string -__updated__ = '2017-12-20' +__updated__ = '2019-05-10' logger = logging.getLogger(__name__) @@ -87,7 +87,7 @@ class TSPICETransport(BaseSpiceTransport): secure_port = -1 if secure_port is None else secure_port # Ticket - tunpass = ''.join(random.choice(string.letters + string.digits) for _i in range(12)) + tunpass = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _i in range(12)) tunuser = TicketStore.create(tunpass) sshHost, sshPort = self.tunnelServer.value.split(':') diff --git a/server/src/uds/transports/X2GO/TX2GOTransport.py b/server/src/uds/transports/X2GO/TX2GOTransport.py index 7c13eceb1..5fe3c23be 100644 --- a/server/src/uds/transports/X2GO/TX2GOTransport.py +++ b/server/src/uds/transports/X2GO/TX2GOTransport.py @@ -45,7 +45,7 @@ import logging import random import string -__updated__ = '2018-03-22' +__updated__ = '2019-05-10' logger = logging.getLogger(__name__) @@ -110,7 +110,7 @@ class TX2GOTransport(BaseX2GOTransport): user=username ) - tunpass = ''.join(random.choice(string.letters + string.digits) for _i in range(12)) + tunpass = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _i in range(12)) tunuser = TicketStore.create(tunpass) sshHost, sshPort = self.tunnelServer.value.split(':') diff --git a/server/src/uds/web/transformers.py b/server/src/uds/web/transformers.py index 7526e7e3c..8d33d8288 100644 --- a/server/src/uds/web/transformers.py +++ b/server/src/uds/web/transformers.py @@ -63,12 +63,13 @@ def transformId(view_func): except Exception: return errors.errorView(request, errors.INVALID_REQUEST) return view_func(request, *args, **kwargs) + return _wrapped_view def scrambleId(request, id_): if request.session.get(SCRAMBLE_SES) is None: - request.session[SCRAMBLE_SES] = ''.join(random.choice(string.letters) for _ in range(SCRAMBLE_LEN)) + request.session[SCRAMBLE_SES] = ''.join(random.SystemRandom().choice(string.letters) for _ in range(SCRAMBLE_LEN)) return base64.b64encode(unicode(id_) + request.session.get(SCRAMBLE_SES)).encode('hex')