From ed322add97b08a852fd816acf9e8d0d2c6f2787a Mon Sep 17 00:00:00 2001 From: Aevann Date: Fri, 30 Jun 2023 19:51:14 +0300 Subject: [PATCH] use more secure token_urlsafe --- files/routes/admin.py | 2 +- files/routes/login.py | 4 ++-- files/routes/wrappers.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/files/routes/admin.py b/files/routes/admin.py index 01182a0984..c5bcdbb1ff 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -1890,7 +1890,7 @@ def delete_media_post(v): @admin_level_required(PERMS['USER_RESET_PASSWORD']) def admin_reset_password(user_id, v): user = get_account(user_id) - new_password = secrets.token_hex(31) + new_password = secrets.token_urlsafe(57) user.passhash = hash_password(new_password) g.db.add(user) diff --git a/files/routes/login.py b/files/routes/login.py index 3735b89a90..607ffbf504 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -172,7 +172,7 @@ def sign_up_get(v:Optional[User]): return render_template("login/sign_up_failed_ref.html"), 403 now = int(time.time()) - token = secrets.token_hex(16) + token = secrets.token_urlsafe(32) session["signup_token"] = token formkey_hashstr = str(now) + token + g.agent @@ -234,7 +234,7 @@ def sign_up_post(v:Optional[User]): ref_user = None now = int(time.time()) - token = secrets.token_hex(16) + token = secrets.token_urlsafe(32) session["signup_token"] = token formkey_hashstr = str(now) + token + g.agent formkey = hmac.new(key=bytes(SECRET_KEY, "utf-16"), diff --git a/files/routes/wrappers.py b/files/routes/wrappers.py index 5bd54e364e..face81d9db 100644 --- a/files/routes/wrappers.py +++ b/files/routes/wrappers.py @@ -39,7 +39,7 @@ def calc_users(): if not session.get("session_id"): session.permanent = True - session["session_id"] = secrets.token_hex(49) + session["session_id"] = secrets.token_urlsafe(98) if v: if session["session_id"] in loggedout: del loggedout[session["session_id"]]