Author: jleroux
Date: Fri Apr 29 19:03:35 2016 New Revision: 1741689 URL: http://svn.apache.org/viewvc?rev=1741689&view=rev Log: "Applied fix from trunk for revision: 1741684 " (conflicts in EntityCrypto.java not handled, in LoginWorker by hand) ------------------------------------------------------------------------ r1741684 | jleroux | 2016-04-29 20:54:49 +0200 (ven. 29 avr. 2016) | 6 lignes Changes for "Use SecureRandom instead of Random where appropriate, and randomUUID for externalKey" - https://issues.apache.org/jira/browse/OFBIZ-7028 Because using SecureRandom comes with a cost, I have identified the places where it's reasonable to keep the non secured Random (like tests, internal sequences, etc.). Ant to use UUID.randomUUID to generate the external link id Also, though there are no real proven vulnerabilities, I decided to backport as much as possible since it's now public. ------------------------------------------------------------------------ Modified: ofbiz/branches/release13.07/ (props changed) ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java ofbiz/branches/release13.07/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java ofbiz/branches/release13.07/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Propchange: ofbiz/branches/release13.07/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Fri Apr 29 19:03:35 2016 @@ -5,4 +5,4 @@ /ofbiz/branches/jquery:952958-1044489 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release12.04:1557118 -/ofbiz/trunk:1506269,1506499,1506504,1506828,1509164,1510042,1511279,1512376,1512573,1516094,1517629,1517702,1517780,1517947,1518336,1518950,1519245,1519999,1520319,1520321,1520326,1524361,1524676,1524704,1524769,1524835,1524950,1525523,1526276,1526387,1526463,1527212,1527254,1527609,1527626,1527810,1528144,1528146,1528149,1528298,1529412,1529418,1529588,1530273,1530634,1530876,1530972,1530976,1531848,1532342,1532366,1533542,1533839,1534062,1535961,1536170,1536656,1537023,1537086,1537179,1537996,1538096,1539147,1539156,1539781,1542264,1542388,1542442,1543744,1543766,1543781,1543994,1544444,1547548,1548143,1549015,1550255,1550258,1550515,1551585,1551744,1552149,1552290,1552500,1552901,1552908,1554064,1554242,1554265,1554290,1554373,1554536,1554681,1554685,1554706,1554764,1554787,1555142,1557409-1557410,1557427,1557440,1557443,1557447,1557456-1557457,1557462,1557593,1558145,1558241,1558373,1558774,1559814,1560048,1560056,1560176,1560203,1560205,1560699,1561286,1561290,1561305,1561311, 1561327,1561467,1562767,1563238,1563683,1563958,1564111,1564113,1564463,1564473,1564493,1566096,1566273,1569078,1569743,1570611,1570622,1570639-1570640,1571207,1571219,1571247,1573161,1573498,1573639,1574019,1574201,1574404,1575508,1576259,1576331,1576378,1576506,1576511,1576757,1576839,1577268,1577744,1579155,1579161,1579277,1579309,1580455,1580850,1581386,1581972,1581997,1582762,1583040,1583427-1583428,1583551,1583674,1583681,1583689,1583696,1584873,1585033,1585574,1585958-1585959,1586987,1587841,1587843,1588733,1589589,1589602,1589606,1589612,1589625,1589669,1592530,1592588,1592745,1592977,1593902,1593908,1593952,1597239,1597464,1598113,1598327,1598475,1598544,1598913,1603439,1603732,1603739,1604357,1604363,1604522,1604554,1605029,1605269,1605348,1605354,1605707,1607457,1608355,1608495,1608526,1608698,1609047,1609065,1609076,1609087,1609149,1609155,1609167,1609184,1609389,1609394,1609398,1609406,1609418,1609885,1609889,1610355,1610420,1610425,1610685,1610918,1610925,1611321,16121 90,1612202,1613121,1614019,1614025,1614280,1614355,1614366,1614556,1615296-1615297,1616272,1616684,1616940,1617229,1617473,1617480,1617936,1617938,1618395,1618397,1618570,1618831,1619087,1619098,1619300,1621335,1621363,1621413,1621436,1621438-1621439,1621442,1621599,1621683,1622050,1622170,1622672,1623370,1624538,1624767,1624809,1624817,1626425,1626797,1627230,1627763,1628096,1628130,1628937,1628940,1629382,1629391,1629426,1631203,1631299-1631300,1632764,1632793,1633100,1633188,1633550,1636864,1637883,1639606,1639835,1639840-1639841,1639846,1639863,1639887,1640288,1640299,1640515,1640717,1641066,1641131,1641165,1641548,1641804,1642423,1643341,1644904,1645950,1646204,1646935,1646977,1646984,1647266,1647338,1647559,1647606,1648668,1649239,1649393,1650240,1650583,1650642,1650678,1650882,1650938,1651593,1652361,1652725,1652731,1652739,1653456,1654175,1654273,1655046,1655795,1656983,1660389,1660444,1661358,1661612,1661778,1661853,1661873,1661940,1661951,1661977,1662361,1662500,1663912,16 63979,1664602,1664604,1666633,1666836,1666939,1666949,1667055,1667253,1668214,1668246,1668258,1668265,1668314,1669317,1672862,1672873,1673764,1674447,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1680155,1680304,1680672,1680733,1680840,1680873,1680881,1682272,1682415,1683998,1686566,1686569,1686574,1686583,1686635,1686651,1687427,1690086,1692458,1693579,1696018,1696234,1697993,1701164,1702704,1703121,1703586,1703965,1703977,1703981,1704000,1704018,1704043,1704052,1704082,1704140,1704230,1705004,1706316,1706561,1706591,1706694,1707837,1708341,1708742,1710178,1710348,1711513,1714244,1714410,1714571,1714657,1715477,1715501,1717058,1717180,1717682,1717760,1718023,1718109,1719094,1720883,1721067,1721625,1722712,1724402,1724916,1724918,1724925,1724943,1724946,1724978,1726828,1729609,1729809,1730735,1730882,1731359,1732721,1733951,1733956,1734246,1734269,1734912,1734918,1735244,1735385,1735569,1735731,1735734,1735773,1736083,1736272 ,1736434,1736851,1736854,1738235,1738303,1740008,1740629,1741146,1741563 +/ofbiz/trunk:1506269,1506499,1506504,1506828,1509164,1510042,1511279,1512376,1512573,1516094,1517629,1517702,1517780,1517947,1518336,1518950,1519245,1519999,1520319,1520321,1520326,1524361,1524676,1524704,1524769,1524835,1524950,1525523,1526276,1526387,1526463,1527212,1527254,1527609,1527626,1527810,1528144,1528146,1528149,1528298,1529412,1529418,1529588,1530273,1530634,1530876,1530972,1530976,1531848,1532342,1532366,1533542,1533839,1534062,1535961,1536170,1536656,1537023,1537086,1537179,1537996,1538096,1539147,1539156,1539781,1542264,1542388,1542442,1543744,1543766,1543781,1543994,1544444,1547548,1548143,1549015,1550255,1550258,1550515,1551585,1551744,1552149,1552290,1552500,1552901,1552908,1554064,1554242,1554265,1554290,1554373,1554536,1554681,1554685,1554706,1554764,1554787,1555142,1557409-1557410,1557427,1557440,1557443,1557447,1557456-1557457,1557462,1557593,1558145,1558241,1558373,1558774,1559814,1560048,1560056,1560176,1560203,1560205,1560699,1561286,1561290,1561305,1561311, 1561327,1561467,1562767,1563238,1563683,1563958,1564111,1564113,1564463,1564473,1564493,1566096,1566273,1569078,1569743,1570611,1570622,1570639-1570640,1571207,1571219,1571247,1573161,1573498,1573639,1574019,1574201,1574404,1575508,1576259,1576331,1576378,1576506,1576511,1576757,1576839,1577268,1577744,1579155,1579161,1579277,1579309,1580455,1580850,1581386,1581972,1581997,1582762,1583040,1583427-1583428,1583551,1583674,1583681,1583689,1583696,1584873,1585033,1585574,1585958-1585959,1586987,1587841,1587843,1588733,1589589,1589602,1589606,1589612,1589625,1589669,1592530,1592588,1592745,1592977,1593902,1593908,1593952,1597239,1597464,1598113,1598327,1598475,1598544,1598913,1603439,1603732,1603739,1604357,1604363,1604522,1604554,1605029,1605269,1605348,1605354,1605707,1607457,1608355,1608495,1608526,1608698,1609047,1609065,1609076,1609087,1609149,1609155,1609167,1609184,1609389,1609394,1609398,1609406,1609418,1609885,1609889,1610355,1610420,1610425,1610685,1610918,1610925,1611321,16121 90,1612202,1613121,1614019,1614025,1614280,1614355,1614366,1614556,1615296-1615297,1616272,1616684,1616940,1617229,1617473,1617480,1617936,1617938,1618395,1618397,1618570,1618831,1619087,1619098,1619300,1621335,1621363,1621413,1621436,1621438-1621439,1621442,1621599,1621683,1622050,1622170,1622672,1623370,1624538,1624767,1624809,1624817,1626425,1626797,1627230,1627763,1628096,1628130,1628937,1628940,1629382,1629391,1629426,1631203,1631299-1631300,1632764,1632793,1633100,1633188,1633550,1636864,1637883,1639606,1639835,1639840-1639841,1639846,1639863,1639887,1640288,1640299,1640515,1640717,1641066,1641131,1641165,1641548,1641804,1642423,1643341,1644904,1645950,1646204,1646935,1646977,1646984,1647266,1647338,1647559,1647606,1648668,1649239,1649393,1650240,1650583,1650642,1650678,1650882,1650938,1651593,1652361,1652725,1652731,1652739,1653456,1654175,1654273,1655046,1655795,1656983,1660389,1660444,1661358,1661612,1661778,1661853,1661873,1661940,1661951,1661977,1662361,1662500,1663912,16 63979,1664602,1664604,1666633,1666836,1666939,1666949,1667055,1667253,1668214,1668246,1668258,1668265,1668314,1669317,1672862,1672873,1673764,1674447,1674491,1674496,1674908,1676674,1677123,1677597,1677769-1677770,1678294,1678882,1678911,1679689,1679697,1680155,1680304,1680672,1680733,1680840,1680873,1680881,1682272,1682415,1683998,1686566,1686569,1686574,1686583,1686635,1686651,1687427,1690086,1692458,1693579,1696018,1696234,1697993,1701164,1702704,1703121,1703586,1703965,1703977,1703981,1704000,1704018,1704043,1704052,1704082,1704140,1704230,1705004,1706316,1706561,1706591,1706694,1707837,1708341,1708742,1710178,1710348,1711513,1714244,1714410,1714571,1714657,1715477,1715501,1717058,1717180,1717682,1717760,1718023,1718109,1719094,1720883,1721067,1721625,1722712,1724402,1724916,1724918,1724925,1724943,1724946,1724978,1726828,1729609,1729809,1730735,1730882,1731359,1732721,1733951,1733956,1734246,1734269,1734912,1734918,1735244,1735385,1735569,1735731,1735734,1735773,1736083,1736272 ,1736434,1736851,1736854,1738235,1738303,1740008,1740629,1741146,1741563,1741684 Modified: ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java?rev=1741689&r1=1741688&r2=1741689&view=diff ============================================================================== --- ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java (original) +++ ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/payment/GiftCertificateServices.java Fri Apr 29 19:03:35 2016 @@ -19,6 +19,7 @@ package org.ofbiz.accounting.payment; import java.math.BigDecimal; +import java.security.SecureRandom; import java.sql.Timestamp; import java.util.List; import java.util.Locale; @@ -1449,7 +1450,7 @@ public class GiftCertificateServices { length = 19; } - Random rand = new Random(); + Random rand = new SecureRandom(); boolean isValid = false; StringBuilder number = null; while (!isValid) { Modified: ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java?rev=1741689&r1=1741688&r2=1741689&view=diff ============================================================================== --- ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java (original) +++ ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/ideal/IdealEvents.java Fri Apr 29 19:03:35 2016 @@ -159,7 +159,7 @@ public class IdealEvents { transaction.setDescription(orderDescription); String returnURL = merchantReturnURL + "?orderId=" + orderId; - Random random = new Random(); + Random random = new SecureRandom(); String EntranceCode = Long.toString(Math.abs(random.nextLong()), 36); transaction.setEntranceCode(EntranceCode); transaction.setMerchantReturnURL(returnURL); Modified: ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java?rev=1741689&r1=1741688&r2=1741689&view=diff ============================================================================== --- ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java (original) +++ ofbiz/branches/release13.07/applications/accounting/src/org/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java Fri Apr 29 19:03:35 2016 @@ -29,6 +29,7 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; +import java.security.SecureRandom; import java.security.spec.InvalidKeySpecException; import java.text.SimpleDateFormat; import java.util.Date; @@ -581,7 +582,7 @@ public class ValueLinkApi { // 8 bytes random data byte[] random = new byte[8]; - Random ran = new Random(); + Random ran = new SecureRandom(); ran.nextBytes(random); @@ -827,7 +828,7 @@ public class ValueLinkApi { } protected byte[] getRandomBytes(int length) { - Random rand = new Random(); + Random rand = new SecureRandom(); byte[] randomBytes = new byte[length]; rand.nextBytes(randomBytes); return randomBytes; Modified: ofbiz/branches/release13.07/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release13.07/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java?rev=1741689&r1=1741688&r2=1741689&view=diff ============================================================================== --- ofbiz/branches/release13.07/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java (original) +++ ofbiz/branches/release13.07/framework/base/src/org/ofbiz/base/crypto/HashCrypt.java Fri Apr 29 19:03:35 2016 @@ -23,7 +23,7 @@ import static org.ofbiz.base.util.UtilIO import java.io.UnsupportedEncodingException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.util.Random; +import java.security.SecureRandom; import org.apache.commons.codec.binary.Base64; import org.apache.commons.codec.binary.Hex; @@ -124,7 +124,7 @@ public class HashCrypt { hashType = "SHA"; } if (salt == null) { - salt = RandomStringUtils.random(new Random().nextInt(15) + 1, CRYPT_CHAR_SET); + salt = RandomStringUtils.random(new SecureRandom().nextInt(15) + 1, CRYPT_CHAR_SET); } StringBuilder sb = new StringBuilder(); sb.append("$").append(hashType).append("$").append(salt).append("$"); Modified: ofbiz/branches/release13.07/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release13.07/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java?rev=1741689&r1=1741688&r2=1741689&view=diff ============================================================================== --- ofbiz/branches/release13.07/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java (original) +++ ofbiz/branches/release13.07/framework/webapp/src/org/ofbiz/webapp/control/LoginWorker.java Fri Apr 29 19:03:35 2016 @@ -26,6 +26,8 @@ import java.sql.Timestamp; import java.util.List; import java.util.Map; import java.util.ServiceLoader; +import java.util.UUID; +import java.util.concurrent.ConcurrentHashMap; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -148,7 +150,8 @@ public class LoginWorker { //no key made yet for this request, create one while (externalKey == null || externalLoginKeys.containsKey(externalKey)) { - externalKey = "EL" + Long.toString(Math.round(Math.random() * 1000000)) + Long.toString(Math.round(Math.random() * 1000000)); + UUID uuid = UUID.randomUUID(); + externalKey = "EL" + uuid.toString(); } request.setAttribute(EXTERNAL_LOGIN_KEY_ATTR, externalKey); |
Free forum by Nabble | Edit this page |