From 3f3a41d47489722be5a502352b32c3c7e25fe610 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Tue, 14 Jul 2020 23:20:12 +0200
Subject: [PATCH] use secrets module instead of random

---
 uffd/__init__.py      | 3 ++-
 uffd/session/views.py | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/uffd/__init__.py b/uffd/__init__.py
index 30280972..0f071fb9 100644
--- a/uffd/__init__.py
+++ b/uffd/__init__.py
@@ -1,4 +1,5 @@
 import os
+import secrets
 
 from flask import Flask, redirect, url_for
 from werkzeug.routing import IntegerConverter
@@ -16,7 +17,7 @@ def create_app(test_config=None):
 	# set development default config values
 	app.config.from_mapping(
 		TEMPLATES_AUTO_RELOAD=True,
-		SECRET_KEY=os.urandom(128),
+		SECRET_KEY=secrets.token_hex(128),
 		SQLALCHEMY_DATABASE_URI="sqlite:///{}".format(os.path.join(app.instance_path, 'uffd.sqlit3')),
 		SQLALCHEMY_ECHO=True,
 	)
diff --git a/uffd/session/views.py b/uffd/session/views.py
index 2590b0b7..269c0a49 100644
--- a/uffd/session/views.py
+++ b/uffd/session/views.py
@@ -1,5 +1,5 @@
 import datetime
-import random
+import secrets
 import string
 import functools
 
@@ -38,7 +38,7 @@ def login():
 		return redirect(url_for('.login'))
 	session['user_uid'] = user.uid
 	session['logintime'] = datetime.datetime.now().timestamp()
-	session['_csrf_token'] = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(64))
+	session['_csrf_token'] = secrets.token_hex(128)
 	return redirect(request.values.get('ref', url_for('index')))
 
 def get_current_user():
-- 
GitLab