2 files changed, 19 insertions, 12 deletions

diff --git a/ChangeLog b/ChangeLog
index aea17ab273..9daf5aa052 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu Sep  3 21:12:12 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* lib/cgi/session.rb (create_new_id): use SHA512 instead of MD5.
+	  pointed out by SARWAR JAHAN.
+
 Thu Sep  3 20:29:18 2015  Koichi Sasada  <ko1@atdot.net>
 
 	* gc.c (rb_raw_obj_info): iseq->body->location.first_lineno is Fixnum.
diff --git a/lib/cgi/session.rb b/lib/cgi/session.rb
index 63c5003526..8d747f0dc7 100644
--- a/lib/cgi/session.rb
+++ b/lib/cgi/session.rb
@@ -163,24 +163,26 @@ class CGI
 
     # Create a new session id.
     #
-    # The session id is an MD5 hash based upon the time,
-    # a random number, and a constant string.  This routine
-    # is used internally for automatically generated
-    # session ids.
+    # The session id is a secure random number by SecureRandom
+    # if possible, otherwise an SHA512 hash based upon the time,
+    # a random number, and a constant string.  This routine is
+    # used internally for automatically generated session ids.
     def create_new_id
       require 'securerandom'
       begin
+        # by OpenSSL, or system provided entropy pool
         session_id = SecureRandom.hex(16)
       rescue NotImplementedError
-        require 'digest/md5'
-        md5 = Digest::MD5::new
+        # never happens on modern systems
+        require 'digest'
+        d = Digest('SHA512').new
         now = Time::now
-        md5.update(now.to_s)
-        md5.update(String(now.usec))
-        md5.update(String(rand(0)))
-        md5.update(String($$))
-        md5.update('foobar')
-        session_id = md5.hexdigest
+        d.update(now.to_s)
+        d.update(String(now.usec))
+        d.update(String(rand(0)))
+        d.update(String($$))
+        d.update('foobar')
+        session_id = d.hexdigest[0, 32]
       end
       session_id
     end