Make generated stanza id truly random

Fix long-standing security issues where stanza @id be predictable.

Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>

2 files changed, 8 insertions, 11 deletions

diff --git a/slixmpp/test/slixtest.py b/slixmpp/test/slixtest.py
index 3953d77d..802df73c 100644
--- a/slixmpp/test/slixtest.py
+++ b/slixmpp/test/slixtest.py
@@ -340,6 +340,13 @@ class SlixTest(unittest.TestCase):
         self.xmpp.default_lang = None
         self.xmpp.peer_default_lang = None
 
+        def new_id():
+            self.xmpp._id += 1
+            return str(self.xmpp._id)
+
+        self.xmpp._id = 0
+        self.xmpp.new_id = new_id
+
         # Must have the stream header ready for xmpp.process() to work.
         if not header:
             header = self.xmpp.stream_header
diff --git a/slixmpp/xmlstream/xmlstream.py b/slixmpp/xmlstream/xmlstream.py
index f386d6a6..9f6f3083 100644
--- a/slixmpp/xmlstream/xmlstream.py
+++ b/slixmpp/xmlstream/xmlstream.py
@@ -201,11 +201,6 @@ class XMLStream(asyncio.BaseProtocol):
         self.__event_handlers = {}
         self.__filters = {'in': [], 'out': [], 'out_sync': []}
 
-        self._id = 0
-
-        #: We use an ID prefix to ensure that all ID values are unique.
-        self._id_prefix = '%s-' % uuid.uuid4()
-
         # Current connection attempt (Future)
         self._current_connection_attempt = None
 
@@ -243,12 +238,7 @@ class XMLStream(asyncio.BaseProtocol):
         ID values. Using this method ensures that all new ID values
         are unique in this stream.
         """
-        self._id += 1
-        return self.get_id()
-
-    def get_id(self):
-        """Return the current unique stream ID in hexadecimal form."""
-        return "%s%X" % (self._id_prefix, self._id)
+        return uuid.uuid4().hex
 
     def connect(self, host='', port=0, use_ssl=False,
                 force_starttls=True, disable_starttls=False):