From 562dcbc3f766534f09e69ca4f116265e893e0257 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Thu, 3 Sep 2015 12:12:14 +0000
Subject: session.rb: SHA512

* lib/cgi/session.rb (create_new_id): use SHA512 instead of MD5.
  pointed out by SARWAR JAHAN.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51748 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/cgi/session.rb | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

(limited to 'lib/cgi')

diff --git a/lib/cgi/session.rb b/lib/cgi/session.rb
index 63c5003526..8d747f0dc7 100644
--- a/lib/cgi/session.rb
+++ b/lib/cgi/session.rb
@@ -163,24 +163,26 @@ class CGI
 
     # Create a new session id.
     #
-    # The session id is an MD5 hash based upon the time,
-    # a random number, and a constant string.  This routine
-    # is used internally for automatically generated
-    # session ids.
+    # The session id is a secure random number by SecureRandom
+    # if possible, otherwise an SHA512 hash based upon the time,
+    # a random number, and a constant string.  This routine is
+    # used internally for automatically generated session ids.
     def create_new_id
       require 'securerandom'
       begin
+        # by OpenSSL, or system provided entropy pool
         session_id = SecureRandom.hex(16)
       rescue NotImplementedError
-        require 'digest/md5'
-        md5 = Digest::MD5::new
+        # never happens on modern systems
+        require 'digest'
+        d = Digest('SHA512').new
         now = Time::now
-        md5.update(now.to_s)
-        md5.update(String(now.usec))
-        md5.update(String(rand(0)))
-        md5.update(String($$))
-        md5.update('foobar')
-        session_id = md5.hexdigest
+        d.update(now.to_s)
+        d.update(String(now.usec))
+        d.update(String(rand(0)))
+        d.update(String($$))
+        d.update('foobar')
+        session_id = d.hexdigest[0, 32]
       end
       session_id
     end
-- 
cgit v1.2.3