diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | lib/cgi/session.rb | 26 |
2 files changed, 19 insertions, 12 deletions
@@ -1,3 +1,8 @@ +Thu Sep 3 21:12:12 2015 Nobuyoshi Nakada <nobu@ruby-lang.org> + + * lib/cgi/session.rb (create_new_id): use SHA512 instead of MD5. + pointed out by SARWAR JAHAN. + Thu Sep 3 20:29:18 2015 Koichi Sasada <ko1@atdot.net> * gc.c (rb_raw_obj_info): iseq->body->location.first_lineno is Fixnum. diff --git a/lib/cgi/session.rb b/lib/cgi/session.rb index 63c5003526..8d747f0dc7 100644 --- a/lib/cgi/session.rb +++ b/lib/cgi/session.rb @@ -163,24 +163,26 @@ class CGI # Create a new session id. # - # The session id is an MD5 hash based upon the time, - # a random number, and a constant string. This routine - # is used internally for automatically generated - # session ids. + # The session id is a secure random number by SecureRandom + # if possible, otherwise an SHA512 hash based upon the time, + # a random number, and a constant string. This routine is + # used internally for automatically generated session ids. def create_new_id require 'securerandom' begin + # by OpenSSL, or system provided entropy pool session_id = SecureRandom.hex(16) rescue NotImplementedError - require 'digest/md5' - md5 = Digest::MD5::new + # never happens on modern systems + require 'digest' + d = Digest('SHA512').new now = Time::now - md5.update(now.to_s) - md5.update(String(now.usec)) - md5.update(String(rand(0))) - md5.update(String($$)) - md5.update('foobar') - session_id = md5.hexdigest + d.update(now.to_s) + d.update(String(now.usec)) + d.update(String(rand(0))) + d.update(String($$)) + d.update('foobar') + session_id = d.hexdigest[0, 32] end session_id end |