community
/
rclone
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

random: fix incorrect use of math/rand instead of crypto/rand CVE-2020-28924 

For implications see the linked issue.

Fixes #4783
This commit is contained in:
Nick Craig-Wood 2020-11-18 12:03:01 +00:00
parent 095c7bd801
commit 7985df3768
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/random/random.go
View File

@ -2,8 +2,9 @@
package random package random
import ( import (
cryptorand "crypto/rand"
"encoding/base64" "encoding/base64"
"math/rand" mathrand "math/rand"
"github.com/pkg/errors" "github.com/pkg/errors"
) )
@ -23,7 +24,7 @@ func String(n int) string {
for i := range out { for i := range out {
source := pattern[p] source := pattern[p]
p = (p + 1) % len(pattern) p = (p + 1) % len(pattern)
out[i] = source[rand.Intn(len(source))] out[i] = source[mathrand.Intn(len(source))]
} }
return string(out) return string(out)
} }
@ -41,7 +42,7 @@ func Password(bits int) (password string, err error) {
bytes++ bytes++
} }
var pw = make([]byte, bytes) var pw = make([]byte, bytes)
n, err := rand.Read(pw) n, err := cryptorand.Read(pw)
if err != nil { if err != nil {
return "", errors.Wrap(err, "password read failed") return "", errors.Wrap(err, "password read failed")
} }