Backport of random fixes

2025-03-11 00:58:39 +03:00 · 2019-05-10 09:56:07 +02:00 · 2019-05-10 09:56:07 +02:00 · 66c217a988
commit 66c217a988
parent d6935d0210
11 changed files with 17 additions and 18 deletions
--- a/server/src/uds/REST/methods/login_logout.py
+++ b/server/src/uds/REST/methods/login_logout.py
@ -78,7 +78,7 @@ class Login(Handler):
            if 'authId' not in self._params and 'authSmallName' not in self._params and 'auth' not in self._params:
                raise RequestError('Invalid parameters (no auth)')

-            scrambler = ''.join(random.choice(string.letters + string.digits) for _ in range(32))  # @UndefinedVariable
+            scrambler = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _ in range(32))  # @UndefinedVariable
            authId = self._params.get('authId', None)
            authSmallName = self._params.get('authSmallName', None)
            authName = self._params.get('auth', None)
--- a/server/src/uds/core/auths/auth.py
+++ b/server/src/uds/core/auths/auth.py
@ -53,7 +53,7 @@ from uds.models import User
 import logging
 import six

-__updated__ = '2018-12-21'
+__updated__ = '2019-05-10'

 logger = logging.getLogger(__name__)
 authLogger = logging.getLogger('authLog')
@ -70,7 +70,7 @@ def getUDSCookie(request, response=None, force=False):
    if 'uds' not in request.COOKIES:
        import random
        import string
-        cookie = ''.join(random.choice(string.letters + string.digits) for _ in range(32))  # @UndefinedVariable
+        cookie = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _ in range(32))  # @UndefinedVariable
        if response is not None:
            response.set_cookie('uds', cookie)
        request.COOKIES['uds'] = cookie
--- a/server/src/uds/core/managers/CryptoManager.py
+++ b/server/src/uds/core/managers/CryptoManager.py
@ -189,4 +189,4 @@ class CryptoManager(object):
        return six.text_type(uuid.uuid5(self._namespace, six.binary_type(obj))).lower()  # uuid must return a lowercase uuid always?, just in case... :)

    def randomString(self, length=40):
-        return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(length))
+        return ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(length))
--- a/server/src/uds/models/TicketStore.py
+++ b/server/src/uds/models/TicketStore.py
@ -44,7 +44,7 @@ import logging

 logger = logging.getLogger(__name__)

-__updated__ = '2018-07-19'
+__updated__ = '2019-05-10'


 class TicketStore(UUIDModel):
@ -77,9 +77,7 @@ class TicketStore(UUIDModel):

    @staticmethod
    def generateUuid():
-        # more secure is this:
-        # ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(40))
-        return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(40))
+        return ''.join(random.SystemRandom().choice(string.ascii_lowercase + string.digits) for _ in range(40))

    @staticmethod
    def create(data, validator=None, validity=DEFAULT_VALIDITY):
--- a/server/src/uds/osmanagers/LinuxOsManager/LinuxRandomPassOsManager.py
+++ b/server/src/uds/osmanagers/LinuxOsManager/LinuxRandomPassOsManager.py
@ -78,7 +78,7 @@ class LinuxRandomPassManager(LinuxOsManager):
        import string
        randomPass = service.recoverValue('linOsRandomPass')
        if randomPass is None:
-            randomPass = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(16))
+            randomPass = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))
            service.storeValue('linOsRandomPass', randomPass)
            log.doLog(service, log.INFO, "Password set to \"{}\"".format(randomPass), log.OSMANAGER)

--- a/server/src/uds/osmanagers/WindowsOsManager/WinRandomPassOsManager.py
+++ b/server/src/uds/osmanagers/WindowsOsManager/WinRandomPassOsManager.py
@ -62,7 +62,7 @@ class WinRandomPassManager(WindowsOsManager):
        import string
        randomPass = service.recoverValue('winOsRandomPass')
        if randomPass is None:
-            randomPass = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(16))
+            randomPass = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(16))
            service.storeValue('winOsRandomPass', randomPass)
            log.doLog(service, log.INFO, "Password set to \"{}\"".format(randomPass), log.OSMANAGER)
        return randomPass
--- a/server/src/uds/transports/NX/TSNXTransport.py
+++ b/server/src/uds/transports/NX/TSNXTransport.py
@ -194,7 +194,7 @@ class TSNXTransport(Transport):
        if self._useEmptyCreds is True:
            username, password = '', ''

-        tunpass = ''.join(random.choice(string.letters + string.digits) for _i in range(12))
+        tunpass = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _i in range(12))
        tunuser = TicketStore.create(tunpass)

        sshServer = self._tunnelServer
--- a/server/src/uds/transports/RDP/TRDPTransport.py
+++ b/server/src/uds/transports/RDP/TRDPTransport.py
@ -48,7 +48,7 @@ import logging
 import random
 import string

-__updated__ = '2018-09-06'
+__updated__ = '2019-05-10'

 logger = logging.getLogger(__name__)

@ -118,7 +118,7 @@ class TRDPTransport(BaseRDPTransport):
        width, height = self.screenSize.value.split('x')
        depth = self.colorDepth.value

-        tunpass = ''.join(random.choice(string.letters + string.digits) for _i in range(12))
+        tunpass = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _i in range(12))
        tunuser = TicketStore.create(tunpass)

        sshHost, sshPort = self.tunnelServer.value.split(':')
--- a/server/src/uds/transports/SPICE/TSPICETransport.py
+++ b/server/src/uds/transports/SPICE/TSPICETransport.py
@ -47,7 +47,7 @@ import logging
 import random
 import string

-__updated__ = '2017-12-20'
+__updated__ = '2019-05-10'

 logger = logging.getLogger(__name__)

@ -87,7 +87,7 @@ class TSPICETransport(BaseSpiceTransport):
        secure_port = -1 if secure_port is None else secure_port

        # Ticket
-        tunpass = ''.join(random.choice(string.letters + string.digits) for _i in range(12))
+        tunpass = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _i in range(12))
        tunuser = TicketStore.create(tunpass)

        sshHost, sshPort = self.tunnelServer.value.split(':')
--- a/server/src/uds/transports/X2GO/TX2GOTransport.py
+++ b/server/src/uds/transports/X2GO/TX2GOTransport.py
@ -45,7 +45,7 @@ import logging
 import random
 import string

-__updated__ = '2018-03-22'
+__updated__ = '2019-05-10'

 logger = logging.getLogger(__name__)

@ -110,7 +110,7 @@ class TX2GOTransport(BaseX2GOTransport):
            user=username
        )

-        tunpass = ''.join(random.choice(string.letters + string.digits) for _i in range(12))
+        tunpass = ''.join(random.SystemRandom().choice(string.letters + string.digits) for _i in range(12))
        tunuser = TicketStore.create(tunpass)

        sshHost, sshPort = self.tunnelServer.value.split(':')
--- a/server/src/uds/web/transformers.py
+++ b/server/src/uds/web/transformers.py
@ -63,12 +63,13 @@ def transformId(view_func):
                except Exception:
                    return errors.errorView(request, errors.INVALID_REQUEST)
        return view_func(request, *args, **kwargs)
+
    return _wrapped_view


 def scrambleId(request, id_):
    if request.session.get(SCRAMBLE_SES) is None:
-        request.session[SCRAMBLE_SES] = ''.join(random.choice(string.letters) for _ in range(SCRAMBLE_LEN))
+        request.session[SCRAMBLE_SES] = ''.join(random.SystemRandom().choice(string.letters) for _ in range(SCRAMBLE_LEN))
    return base64.b64encode(unicode(id_) + request.session.get(SCRAMBLE_SES)).encode('hex')