secret_key.py doesn't warn when reverting to insecure key generation
Bug #1588064 reported by
Matt Borland
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Matt Borland |
Bug Description
secret_key.py is used to generate a 64-bit key used by Django; however when it cannot find the 'SystemRandom' extension to the 'random' package it reverts to a generator that is, by documentation, not secure cryptographically. Witness:
https:/
Reverting to the generator without leaving a warning is a hazard from a system security perspective. We should log at WARN that there is a possible security issue in the configuration.
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/324104
Review: https:/