Issue #5105 has been reported by Masahiro Tomita. ---------------------------------------- Bug #5105: CGI::Session#session_id ??®ç???????¹æ????«ã?¤ã????? http://redmine.ruby-lang.org/issues/5105 Author: Masahiro Tomita Status: Open Priority: Normal Assignee: Category: Target version: ruby -v: ruby 1.8.7 (2011-06-30 patchlevel 352) [i686-linux] ??¨ã?¿ã????§ã????? ???話ã?§ã???????? r13672 ??? CGI::Session#session_id ??? SecureRandom ????????? ??????ä¹±æ?°ã?????ç´???«ä½¿??¨ã?????????????«ã?ªã?£ã?¦ã????¾ã?????????????¾ã?§ã?¯ã?¿ã?¤ã????¹ã?¿ã?³ã?? & ?????ã?»ã??ID & ä¹±æ?? & ??ºå?????å??????????????????? MD5 ?????¤ã?¸ã?§ã?¹ã????¤ã??使ç?¨ã???????? ?????¾ã???????? ?????®ã???????«ç??????????? MD5 ?????¤ã?¸ã?§ã?¹ã????¤ã??????????????ç´???«ä¹±??°ã???????®ã?¾ã?¾ä½¿??¨ã?? ?????¹ã?????è¤??????ºç???????????????ªã?£ã?¦ã????¾ã?£ã?¦ã????????????????ªã???????¨æ???????®ã?§ã???????? ?????§ã??????????? ??¨ã???????????å®??????«é??è¤??????ºç???????¦ã????¾ã?£ã????®ã?§ã?? 以ä?????SecureRandom ???使ã????¤ã?¤å????®æ???????«æ?»ã?????????????§ã????? --- lib/cgi/session.rb.orig 2009-02-20 19:35:11.000000000 +0900 +++ lib/cgi/session.rb 2011-07-27 12:27:57.000000000 +0900 @@ -25,6 +25,8 @@ require 'cgi' require 'tmpdir' +require 'securerandom' +require 'digest/md5' class CGI @@ -174,21 +176,15 @@ # is used internally for automatically generated # session ids. def create_new_id - require 'securerandom' - begin - session_id = SecureRandom.hex(16) - rescue NotImplementedError - require 'digest/md5' - md5 = Digest::MD5::new - now = Time::now - md5.update(now.to_s) - md5.update(String(now.usec)) - md5.update(String(rand(0))) - md5.update(String($$)) - md5.update('foobar') - session_id = md5.hexdigest - end - session_id + r = SecureRandom.random_bytes(16) rescue rand(0).to_s + md5 = Digest::MD5::new + now = Time::now + md5.update(now.to_s) + md5.update(String(now.usec)) + md5.update(r) + md5.update(String($$)) + md5.update('foobar') + md5.hexdigest end private :create_new_id -- http://redmine.ruby-lang.org