If available, use 'secrets' module for randbytes().

2017-11-20 13:37:55 -08:00 · 2017-11-20 13:37:55 -08:00 · 8db6c1b1e4
parent 3a590f58b8
commit 8db6c1b1e4
1 changed files with 12 additions and 6 deletions
--- a/quixote/util.py
+++ b/quixote/util.py
@ -21,6 +21,10 @@ import mimetypes
 import urllib.request, urllib.parse, urllib.error
 import xmlrpc.client
 from email.utils import formatdate
+try:
+    import secrets
+except ImportError:
+    secrets = None

 import quixote
 from quixote import errors
@ -28,17 +32,19 @@ from quixote.directory import Directory
 from quixote.html import htmltext, TemplateIO
 from quixote.http_response import Stream

-def _encode_base64(s):
-    return base64.urlsafe_b64encode(s).rstrip(b'=\n').decode('ascii')
-
-if hasattr(os, 'urandom'):
+if secrets is not None:
+    # available in Python 3.6+, this is the preferred implementation
+    randbytes = secrets.token_urlsafe
+elif hasattr(os, 'urandom'):
    # available in Python 2.4 and also works on win32
-    def randbytes(n):
+    def _encode_base64(s):
+        return base64.urlsafe_b64encode(s).rstrip(b'=\n').decode('ascii')
+    def randbytes(n=16):
        """Return bytes of random data as a text string."""
        return _encode_base64(os.urandom(n))
 else:
    # give up, we used to try to provide a less secure version
-    def randbytes(n):
+    def randbytes(n=16):
        raise NotImplementedError('platform missing os.urandom')

 def import_object(name):