Force all uses of random to use SystemRandom and abort if

pseudorandom random.Random would be used rather than
Random.SystemRandom.

random.Random is returning the same value time after time.  Even when
being seeded after instantiation, calls to the random.random()
function return the same value like it's not advanceing the state of
the generator.

So "fix" is to force use of system random generator to generate:

 one time keys for password reset (action.py)
 random passwords when resetting passwords (password.py)
 serial number for auto ssl cert generation (roundup_server.py)
 Message-ID's in email: mailgw.py, client.py
 anti-csrf nonces (templating.py)

Author: rouilj

roundup/cgi/actions.py

@@ -1,6 +1,15 @@
-import re, cgi, time, random, csv, codecs
+import re, cgi, time, csv, codecs
 from io import BytesIO
 
+try: 
+    # Use the cryptographic source of randomness if available
+    from random import SystemRandom
+    random=SystemRandom()
+except ImportError:
+    raise
+    from random import Random
+    random=Random()
+
 from roundup import hyperdb, token, date, password
 from roundup.actions import Action as BaseAction
 from roundup.i18n import _

roundup/cgi/client.py

@@ -17,7 +17,9 @@
     random=SystemRandom()
     logger.debug("Importing good random generator")
 except ImportError:
-    from random import random
+    raise
+    from random import Random
+    random=Random()
     logger.warning("**SystemRandom not available. Using poor random generator")
 
 try:

roundup/cgi/templating.py

@@ -36,7 +36,10 @@
     from random import SystemRandom
     random=SystemRandom()
 except ImportError:
-    from random import random
+    raise
+    from random import Random
+    random=Random()
+
 try:
     import cPickle as pickle
 except ImportError:

roundup/mailgw.py

@@ -95,10 +95,19 @@ class node. Any parts of other types are each stored in separate files
 __docformat__ = 'restructuredtext'
 
 import string, re, os, mimetools, cStringIO, smtplib, socket, binascii, quopri
-import time, random, sys, logging
+import time, sys, logging
 import traceback
 import email.utils
 
+try: 
+    # Use the cryptographic source of randomness if available
+    from random import SystemRandom
+    random=SystemRandom()
+except ImportError:
+    raise
+    from random import Random
+    random=Random()
+
 from anypy.email_ import decode_header
 
 from roundup import configuration, hyperdb, date, password, exceptions

roundup/password.py

@@ -19,11 +19,20 @@
 """
 __docformat__ = 'restructuredtext'
 
-import re, string, random
+import re, string
 import os
 from base64 import b64encode, b64decode
 from hashlib import md5, sha1
 
+try: 
+    # Use the cryptographic source of randomness if available
+    from random import SystemRandom
+    random=SystemRandom()
+except ImportError:
+    raise
+    from random import Random
+    random=Random()
+
 try:
     import crypt
 except ImportError:
@@ -363,6 +372,13 @@ def test():
     assert 'sekrit' == p
     assert 'not sekrit' != p
 
+
+    print random.randrange(36, 52)
+    # this seems to return the save password every time
+    # when run inside a roundup daemon.
+    # but it tests out ok. I don't know why. -- rouilj
+    print generatePassword()
+
 if __name__ == '__main__':
     test()
 

roundup/roundupdb.py

@@ -20,7 +20,17 @@
 """
 __docformat__ = 'restructuredtext'
 
-import re, os, smtplib, socket, time, random
+import re, os, smtplib, socket, time
+
+try: 
+    # Use the cryptographic source of randomness if available
+    from random import SystemRandom
+    random=SystemRandom()
+except ImportError:
+    raise
+    from random import Random
+    random=Random()
+
 import cStringIO, base64, mimetypes
 import os.path
 import logging

roundup/scripts/roundup_server.py

@@ -88,7 +88,17 @@
 
 def auto_ssl():
     print _('WARNING: generating temporary SSL certificate')
-    import OpenSSL, random
+    import OpenSSL
+
+    try: 
+        # Use the cryptographic source of randomness if available
+        from random import SystemRandom
+        random=SystemRandom()
+    except ImportError:
+        raise
+        from random import Random
+        random=Random()
+
     pkey = OpenSSL.crypto.PKey()
     pkey.generate_key(OpenSSL.crypto.TYPE_RSA, 768)
     cert = OpenSSL.crypto.X509()