Commit b29bb30e authored by Maxime Buquet's avatar Maxime Buquet

Make generated stanza id truly random

Fix long-standing security issues where stanza @id be predictable.
Signed-off-by: Maxime Buquet's avatarMaxime “pep” Buquet <pep@bouah.net>
parent 4435c81d
Pipeline #2176 passed with stages
in 1 minute and 8 seconds
......@@ -340,6 +340,13 @@ class SlixTest(unittest.TestCase):
self.xmpp.default_lang = None
self.xmpp.peer_default_lang = None
def new_id():
self.xmpp._id += 1
return str(self.xmpp._id)
self.xmpp._id = 0
self.xmpp.new_id = new_id
# Must have the stream header ready for xmpp.process() to work.
if not header:
header = self.xmpp.stream_header
......
......@@ -201,11 +201,6 @@ class XMLStream(asyncio.BaseProtocol):
self.__event_handlers = {}
self.__filters = {'in': [], 'out': [], 'out_sync': []}
self._id = 0
#: We use an ID prefix to ensure that all ID values are unique.
self._id_prefix = '%s-' % uuid.uuid4()
# Current connection attempt (Future)
self._current_connection_attempt = None
......@@ -243,12 +238,7 @@ class XMLStream(asyncio.BaseProtocol):
ID values. Using this method ensures that all new ID values
are unique in this stream.
"""
self._id += 1
return self.get_id()
def get_id(self):
"""Return the current unique stream ID in hexadecimal form."""
return "%s%X" % (self._id_prefix, self._id)
return uuid.uuid4().hex
def connect(self, host='', port=0, use_ssl=False,
force_starttls=True, disable_starttls=False):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment