diff options
author | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-09-03 12:12:14 +0000 |
---|---|---|
committer | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-09-03 12:12:14 +0000 |
commit | 16dbb79e88afc21bf1621acff54cabf1757430b1 (patch) | |
tree | 8626a9da2795d74022fc0551f0d71a67e543332e /lib/cgi | |
parent | 5f6dedda011f51de104dcaedf309bc0dad4cac45 (diff) | |
download | ruby-16dbb79e88afc21bf1621acff54cabf1757430b1.tar.gz |
session.rb: SHA512
* lib/cgi/session.rb (create_new_id): use SHA512 instead of MD5.
pointed out by SARWAR JAHAN.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51748 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib/cgi')
-rw-r--r-- | lib/cgi/session.rb | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/lib/cgi/session.rb b/lib/cgi/session.rb index 63c5003526..8d747f0dc7 100644 --- a/lib/cgi/session.rb +++ b/lib/cgi/session.rb @@ -163,24 +163,26 @@ class CGI # Create a new session id. # - # The session id is an MD5 hash based upon the time, - # a random number, and a constant string. This routine - # is used internally for automatically generated - # session ids. + # The session id is a secure random number by SecureRandom + # if possible, otherwise an SHA512 hash based upon the time, + # a random number, and a constant string. This routine is + # used internally for automatically generated session ids. def create_new_id require 'securerandom' begin + # by OpenSSL, or system provided entropy pool session_id = SecureRandom.hex(16) rescue NotImplementedError - require 'digest/md5' - md5 = Digest::MD5::new + # never happens on modern systems + require 'digest' + d = Digest('SHA512').new now = Time::now - md5.update(now.to_s) - md5.update(String(now.usec)) - md5.update(String(rand(0))) - md5.update(String($$)) - md5.update('foobar') - session_id = md5.hexdigest + d.update(now.to_s) + d.update(String(now.usec)) + d.update(String(rand(0))) + d.update(String($$)) + d.update('foobar') + session_id = d.hexdigest[0, 32] end session_id end |