A real fix for the problem where:

  import random

would result in every call to random() returning the same value
in the web interface.

While cgi/client.py:Client::__init.py__ was calling random.seed(),
on most systems random was SystemRandom and not the default random.

As a result the random as you would get from:

  import random

was never being seeded. I added a function to access and seed the
random bound instance of random.Random that is called during init.

This fixes all three places where I saw the broken randomness.
It should also fix:

  http://psf.upfronthosting.co.za/roundup/meta/issue644

I also removed the prior code that would bail if systemRandom was not
available.

Author: rouilj

roundup/cgi/actions.py

@@ -1,15 +1,6 @@
-import re, cgi, time, csv, codecs
+import re, cgi, time, random, csv, codecs
 from io import BytesIO
 
-try: 
-    # Use the cryptographic source of randomness if available
-    from random import SystemRandom
-    random=SystemRandom()
-except ImportError:
-    raise
-    from random import Random
-    random=Random()
-
 from roundup import hyperdb, token, date, password
 from roundup.actions import Action as BaseAction
 from roundup.i18n import _

roundup/cgi/client.py

@@ -17,9 +17,7 @@
     random=SystemRandom()
     logger.debug("Importing good random generator")
 except ImportError:
-    raise
-    from random import Random
-    random=Random()
+    from random import random
     logger.warning("**SystemRandom not available. Using poor random generator")
 
 try:
@@ -81,6 +79,19 @@ def add_message(msg_list, msg, escape=True):
 The tracker maintainers have been notified of the problem.</p>
 </body></html>"""
 
+def seed_pseudorandom():
+    '''A function to seed the default pseudorandom random number generator
+       which is used to (at minimum):
+          * generate part of email message-id 
+          * generate OTK for password reset
+          * generate the temp recovery password
+
+       This function limits the scope of the 'import random' call
+       as the random identifier is used throughout the code and
+       can refer to SystemRandom.
+    '''
+    import random
+    random.seed()
 
 class LiberalCookie(SimpleCookie):
     """ Python's SimpleCookie throws an exception if the cookie uses invalid
@@ -307,8 +318,14 @@ class Client:
     )
 
     def __init__(self, instance, request, env, form=None, translator=None):
-        # re-seed the random number generator
+        # re-seed the random number generator. Is this is an instance of
+        # random.SystemRandom it has no effect.
         random.seed()
+        # So we also seed the pseudorandom random source obtained from
+        #    import random
+        # to make sure that every forked copy of the client will return
+        # new random numbers.
+        seed_pseudorandom()
         self.start = time.time()
         self.instance = instance
         self.request = request

roundup/cgi/templating.py

@@ -36,10 +36,7 @@
     from random import SystemRandom
     random=SystemRandom()
 except ImportError:
-    raise
-    from random import Random
-    random=Random()
-
+    from random import random
 try:
     import cPickle as pickle
 except ImportError:

roundup/mailgw.py

@@ -95,19 +95,10 @@ class node. Any parts of other types are each stored in separate files
 __docformat__ = 'restructuredtext'
 
 import string, re, os, mimetools, cStringIO, smtplib, socket, binascii, quopri
-import time, sys, logging
+import time, random, sys, logging
 import traceback
 import email.utils
 
-try: 
-    # Use the cryptographic source of randomness if available
-    from random import SystemRandom
-    random=SystemRandom()
-except ImportError:
-    raise
-    from random import Random
-    random=Random()
-
 from anypy.email_ import decode_header
 
 from roundup import configuration, hyperdb, date, password, exceptions

roundup/password.py

@@ -19,20 +19,11 @@
 """
 __docformat__ = 'restructuredtext'
 
-import re, string
+import re, string, random
 import os
 from base64 import b64encode, b64decode
 from hashlib import md5, sha1
 
-try: 
-    # Use the cryptographic source of randomness if available
-    from random import SystemRandom
-    random=SystemRandom()
-except ImportError:
-    raise
-    from random import Random
-    random=Random()
-
 try:
     import crypt
 except ImportError:
@@ -372,13 +363,6 @@ def test():
     assert 'sekrit' == p
     assert 'not sekrit' != p
 
-
-    print random.randrange(36, 52)
-    # this seems to return the save password every time
-    # when run inside a roundup daemon.
-    # but it tests out ok. I don't know why. -- rouilj
-    print generatePassword()
-
 if __name__ == '__main__':
     test()
 

roundup/roundupdb.py

@@ -20,17 +20,7 @@
 """
 __docformat__ = 'restructuredtext'
 
-import re, os, smtplib, socket, time
-
-try: 
-    # Use the cryptographic source of randomness if available
-    from random import SystemRandom
-    random=SystemRandom()
-except ImportError:
-    raise
-    from random import Random
-    random=Random()
-
+import re, os, smtplib, socket, time, random
 import cStringIO, base64, mimetypes
 import os.path
 import logging

roundup/scripts/roundup_server.py

@@ -88,17 +88,7 @@
 
 def auto_ssl():
     print _('WARNING: generating temporary SSL certificate')
-    import OpenSSL
-
-    try: 
-        # Use the cryptographic source of randomness if available
-        from random import SystemRandom
-        random=SystemRandom()
-    except ImportError:
-        raise
-        from random import Random
-        random=Random()
-
+    import OpenSSL, random
     pkey = OpenSSL.crypto.PKey()
     pkey.generate_key(OpenSSL.crypto.TYPE_RSA, 768)
     cert = OpenSSL.crypto.X509()