yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #30840
[Bug 1368040] Re: random.choice in /cinder/volume/utils.py may has potential security issue
** Changed in: nova
Status: Incomplete => Opinion
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1368040
Title:
random.choice in /cinder/volume/utils.py may has potential security
issue
Status in Cinder:
Invalid
Status in OpenStack Compute (Nova):
Opinion
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
The choice is used for security here, could we find out other more
security methods to generate randomness?
# NOTE(jerdfelt): Some password policies require at least one character
# from each group of symbols, so start off with one random character
# from each symbol group
password = [random.choice(s) for s in symbolgroups] --------------> This line has described issue
# If length < len(symbolgroups), the leading characters will only
# be from the first length groups. Try our best to not be predictable
# by shuffling and then truncating.
# then fill with random characters from all symbol groups
symbols = ''.join(symbolgroups)
password.extend([random.choice(symbols) for _i in xrange(length)]) --------------> This line has described issue
# finally shuffle to ensure first x characters aren't from a
# predictable group
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1368040/+subscriptions