Skip to content

Commit 153e248

Browse files
psyker156psyker156
committed
Improved nonce safety
generate_nonce() was rewritten to promote the use of a crypto safe PRNG
1 parent 003e299 commit 153e248

File tree

1 file changed

+5
-10
lines changed

1 file changed

+5
-10
lines changed

woocommerce/oauth.py

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,10 @@
1010
__license__ = "MIT"
1111

1212
from time import time
13-
from random import randint
13+
from os import urandom
1414
from hmac import new as HMAC
15-
from hashlib import sha1, sha256
16-
from base64 import b64encode
15+
from hashlib import sha256
16+
from base64 import b64encode, urlsafe_b64encode
1717
from collections import OrderedDict
1818
from urllib.parse import urlencode, quote, unquote, parse_qsl, urlparse
1919

@@ -122,10 +122,5 @@ def get_value_like_as_php(val):
122122

123123
@staticmethod
124124
def generate_nonce():
125-
""" Generate nonce number """
126-
nonce = ''.join([str(randint(0, 9)) for i in range(8)])
127-
return HMAC(
128-
nonce.encode(),
129-
"secret".encode(),
130-
sha1
131-
).hexdigest()
125+
"""Generate a crypto safe random 32-byte string and encode it in Base64"""
126+
return urlsafe_b64encode(urandom(32)).decode('utf-8').rstrip('=')

0 commit comments

Comments
 (0)