LogalDeveloper/owncast
LogalDeveloper/owncast
0
Fork 0
Code

fix insecure math/rand use for access token generation (#1441)

Browse Source
This commit is contained in:
Tim Cooper 2021-10-01 14:46:42 -05:00 committed by GitHub
parent fe47c99ac2
commit 3717a2ebeb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
utils/accessTokens.go
View File

@ -1,9 +1,8 @@
package utils package utils
import ( import (
"crypto/rand"
"encoding/base64" "encoding/base64"
"math/rand"
"time"
) )
const tokenLength = 32 const tokenLength = 32
@ -19,8 +18,7 @@ func GenerateAccessToken() (string, error) {
// case the caller should not continue. // case the caller should not continue.
func generateRandomBytes(n int) ([]byte, error) { func generateRandomBytes(n int) ([]byte, error) {
b := make([]byte, n) b := make([]byte, n)
rand.Seed(time.Now().UTC().UnixNano()) _, err := rand.Read(b)
_, err := rand.Read(b) //nolint
// Note that err == nil only if we read len(b) bytes. // Note that err == nil only if we read len(b) bytes.
if err != nil { if err != nil {
return nil, err return nil, err