Issue #5105 has been reported by Masahiro Tomita.

----------------------------------------
Bug #5105: CGI::Session#session_id ?????????号?????ゃ?????
http://redmine.ruby-lang.org/issues/5105

Author: Masahiro Tomita
Status: Open
Priority: Normal
Assignee: 
Category: 
Target version: 
ruby -v: ruby 1.8.7 (2011-06-30 patchlevel 352) [i686-linux]


???帥????с?????

???荅宴?с???????? r13672 ??? CGI::Session#session_id ??? SecureRandom ?????????
??????箙掩?違?????膣???篏?????????????????c?????障?????????????障?с??帥?ゃ????鴻?帥?潟?? &
??????祉??ID & 箙掩?? & ??阪?????絖??????????????????? MD5 ?????ゃ?吾?с?鴻????ゃ??篏睡?????????
?????障????????

??????????????????????? MD5 ?????ゃ?吾?с?鴻????ゃ??????????????膣???箙??違????????障?鞘戎????
?????鴻?????茲??????榊????????????????c?????障?c????????????????????????????????с????????
?????с???????????

?????????????絎????????茲??????榊???????????障?c?????с??

篁ヤ?????SecureRandom ???篏帥????ゃ?ゅ????????????祉?????????????с?????

--- lib/cgi/session.rb.orig	2009-02-20 19:35:11.000000000 +0900
+++ lib/cgi/session.rb	2011-07-27 12:27:57.000000000 +0900
@@ -25,6 +25,8 @@
 
 require 'cgi'
 require 'tmpdir'
+require 'securerandom'
+require 'digest/md5'
 
 class CGI
 
@@ -174,21 +176,15 @@
     # is used internally for automatically generated
     # session ids. 
     def create_new_id
-      require 'securerandom'
-      begin
-        session_id = SecureRandom.hex(16)
-      rescue NotImplementedError
-        require 'digest/md5'
-        md5 = Digest::MD5::new
-        now = Time::now
-        md5.update(now.to_s)
-        md5.update(String(now.usec))
-        md5.update(String(rand(0)))
-        md5.update(String($$))
-        md5.update('foobar')
-        session_id = md5.hexdigest
-      end
-      session_id
+      r = SecureRandom.random_bytes(16) rescue rand(0).to_s
+      md5 = Digest::MD5::new
+      now = Time::now
+      md5.update(now.to_s)
+      md5.update(String(now.usec))
+      md5.update(r)
+      md5.update(String($$))
+      md5.update('foobar')
+      md5.hexdigest
     end
     private :create_new_id







-- 
http://redmine.ruby-lang.org