Opened 7 weeks ago

#31967 new defect

BridgeDB Server uses insecure pseudorandom generator for selecting cached captcha

Reported by: willbarr Owned by:
Priority: Medium Milestone:
Component: Circumvention/BridgeDB Version: sbws: unspecified
Severity: Normal Keywords:
Cc: phw Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://gitweb.torproject.org/bridgedb.git/tree/bridgedb/captcha.py#n389

From python documentation: The pseudo-random generators of this module (random) should not be used for security purposes.

It should use the secrets module secrets.choice() or if you plan to keep python2 compatibility random.SystemRandom.choice().

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.