From b29bb30eb7bb46ce2b945efed55a265324e05383 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maxime=20=E2=80=9Cpep=E2=80=9D=20Buquet?= <pep@bouah.net>
Date: Sat, 13 Jul 2019 14:07:31 +0200
Subject: Make generated stanza id truly random
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix long-standing security issues where stanza @id be predictable.

Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>
---
 slixmpp/test/slixtest.py       |  7 +++++++
 slixmpp/xmlstream/xmlstream.py | 12 +-----------
 2 files changed, 8 insertions(+), 11 deletions(-)

(limited to 'slixmpp')

diff --git a/slixmpp/test/slixtest.py b/slixmpp/test/slixtest.py
index 3953d77d..802df73c 100644
--- a/slixmpp/test/slixtest.py
+++ b/slixmpp/test/slixtest.py
@@ -340,6 +340,13 @@ class SlixTest(unittest.TestCase):
         self.xmpp.default_lang = None
         self.xmpp.peer_default_lang = None
 
+        def new_id():
+            self.xmpp._id += 1
+            return str(self.xmpp._id)
+
+        self.xmpp._id = 0
+        self.xmpp.new_id = new_id
+
         # Must have the stream header ready for xmpp.process() to work.
         if not header:
             header = self.xmpp.stream_header
diff --git a/slixmpp/xmlstream/xmlstream.py b/slixmpp/xmlstream/xmlstream.py
index f386d6a6..9f6f3083 100644
--- a/slixmpp/xmlstream/xmlstream.py
+++ b/slixmpp/xmlstream/xmlstream.py
@@ -201,11 +201,6 @@ class XMLStream(asyncio.BaseProtocol):
         self.__event_handlers = {}
         self.__filters = {'in': [], 'out': [], 'out_sync': []}
 
-        self._id = 0
-
-        #: We use an ID prefix to ensure that all ID values are unique.
-        self._id_prefix = '%s-' % uuid.uuid4()
-
         # Current connection attempt (Future)
         self._current_connection_attempt = None
 
@@ -243,12 +238,7 @@ class XMLStream(asyncio.BaseProtocol):
         ID values. Using this method ensures that all new ID values
         are unique in this stream.
         """
-        self._id += 1
-        return self.get_id()
-
-    def get_id(self):
-        """Return the current unique stream ID in hexadecimal form."""
-        return "%s%X" % (self._id_prefix, self._id)
+        return uuid.uuid4().hex
 
     def connect(self, host='', port=0, use_ssl=False,
                 force_starttls=True, disable_starttls=False):
-- 
cgit v1.2.3