-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecureRandom cache_id generation #2326
Comments
Thank you. But a number less than 10000 is considered predictable. |
How much is enough? |
128bit is enough. If fixed length is desirable, how about using the following? '%032x' % SecureRandom.random_number(1 <<128) # 128bit hex One thing to be noted here is that when I looked into the source code of carrierwave some months ago, I found some regexps in carrierwave that assumed the random number being consisted of 4 decimal digit and that's why I suggested a weird solution in the first post. So, to make the part longer and use hex chars, some change might be necessary somewhere else. |
I'm not quite certain but maybe the regex I found was this. |
My concern is changing the format of cache id may break compatibility for existing installations. I guess it will not so, but I must think deeper before I'm certain. |
I've decided not to change cache id format because of compatibility concern. |
As a security tester, I have seen developers who assume cache_id is unpredictable, but that's not actually true in the strict sense.
Would you be able to make it truly secure random?
The following is a quick but dirty fix for generate_cache_id method.
Thanks.
The text was updated successfully, but these errors were encountered: