yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1368040] Re: random.choice in /cinder/volume/utils.py may has potential security issue

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jay Bryant <jsbryant@xxxxxxxxxx>
Date: Fri, 12 Sep 2014 22:33:46 -0000
Reply-to: Bug 1368040 <1368040@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Brant, so if I were to move this to a common code base, is the solution
that Cinder is currently using the better solution?

** Changed in: cinder
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1368040

Title:
  random.choice in /cinder/volume/utils.py may has potential security
  issue

Status in Cinder:
  Invalid
Status in OpenStack Compute (Nova):
  Incomplete
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  The choice is used for security here,  could we find out other more
  security methods to generate randomness?

  # NOTE(jerdfelt): Some password policies require at least one character
  # from each group of symbols, so start off with one random character
   # from each symbol group
   password = [random.choice(s) for s in symbolgroups] --------------> This line has described issue
  # If length < len(symbolgroups), the leading characters will only
   # be from the first length groups. Try our best to not be predictable
   # by shuffling and then truncating.


  
  # then fill with random characters from all symbol groups
  symbols = ''.join(symbolgroups)
   password.extend([random.choice(symbols) for _i in xrange(length)]) --------------> This line has described issue

   # finally shuffle to ensure first x characters aren't from a
   # predictable group

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1368040/+subscriptions