diff options
author | Maxime “pep” Buquet <pep@bouah.net> | 2019-07-13 14:07:31 +0200 |
---|---|---|
committer | Maxime “pep” Buquet <pep@bouah.net> | 2019-07-13 14:07:31 +0200 |
commit | b29bb30eb7bb46ce2b945efed55a265324e05383 (patch) | |
tree | 688eb7aa321846123a9ef9e9047b85da80b5fc68 | |
parent | 4435c81d77c651a20bfe979ed8d20f9887c057d1 (diff) | |
download | slixmpp-b29bb30eb7bb46ce2b945efed55a265324e05383.tar.gz slixmpp-b29bb30eb7bb46ce2b945efed55a265324e05383.tar.bz2 slixmpp-b29bb30eb7bb46ce2b945efed55a265324e05383.tar.xz slixmpp-b29bb30eb7bb46ce2b945efed55a265324e05383.zip |
Make generated stanza id truly random
Fix long-standing security issues where stanza @id be predictable.
Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
-rw-r--r-- | slixmpp/test/slixtest.py | 7 | ||||
-rw-r--r-- | slixmpp/xmlstream/xmlstream.py | 12 |
2 files changed, 8 insertions, 11 deletions
diff --git a/slixmpp/test/slixtest.py b/slixmpp/test/slixtest.py index 3953d77d..802df73c 100644 --- a/slixmpp/test/slixtest.py +++ b/slixmpp/test/slixtest.py @@ -340,6 +340,13 @@ class SlixTest(unittest.TestCase): self.xmpp.default_lang = None self.xmpp.peer_default_lang = None + def new_id(): + self.xmpp._id += 1 + return str(self.xmpp._id) + + self.xmpp._id = 0 + self.xmpp.new_id = new_id + # Must have the stream header ready for xmpp.process() to work. if not header: header = self.xmpp.stream_header diff --git a/slixmpp/xmlstream/xmlstream.py b/slixmpp/xmlstream/xmlstream.py index f386d6a6..9f6f3083 100644 --- a/slixmpp/xmlstream/xmlstream.py +++ b/slixmpp/xmlstream/xmlstream.py @@ -201,11 +201,6 @@ class XMLStream(asyncio.BaseProtocol): self.__event_handlers = {} self.__filters = {'in': [], 'out': [], 'out_sync': []} - self._id = 0 - - #: We use an ID prefix to ensure that all ID values are unique. - self._id_prefix = '%s-' % uuid.uuid4() - # Current connection attempt (Future) self._current_connection_attempt = None @@ -243,12 +238,7 @@ class XMLStream(asyncio.BaseProtocol): ID values. Using this method ensures that all new ID values are unique in this stream. """ - self._id += 1 - return self.get_id() - - def get_id(self): - """Return the current unique stream ID in hexadecimal form.""" - return "%s%X" % (self._id_prefix, self._id) + return uuid.uuid4().hex def connect(self, host='', port=0, use_ssl=False, force_starttls=True, disable_starttls=False): |