Issue #5105 has been reported by Masahiro Tomita.

----------------------------------------
Bug #5105: CGI::Session#session_id ??®ç???????¹æ????«ã?¤ã?????
http://redmine.ruby-lang.org/issues/5105

Author: Masahiro Tomita
Status: Open
Priority: Normal
Assignee: 
Category: 
Target version: 
ruby -v: ruby 1.8.7 (2011-06-30 patchlevel 352) [i686-linux]


??¨ã?¿ã????§ã?????

???話ã?§ã???????? r13672 ??? CGI::Session#session_id ??? SecureRandom ?????????
??????ä¹±æ?°ã?????ç´???«ä½¿??¨ã?????????????«ã?ªã?£ã?¦ã????¾ã?????????????¾ã?§ã?¯ã?¿ã?¤ã????¹ã?¿ã?³ã?? &
?????­ã?»ã??ID & ä¹±æ?? & ??ºå?????å­??????????????????? MD5 ?????¤ã?¸ã?§ã?¹ã????¤ã??使ç?¨ã????????
?????¾ã????????

?????®ã???????«ç??????????? MD5 ?????¤ã?¸ã?§ã?¹ã????¤ã??????????????ç´???«ä¹±??°ã???????®ã?¾ã?¾ä½¿??¨ã??
?????¹ã?????è¤??????ºç???????????????ªã?£ã?¦ã????¾ã?£ã?¦ã????????????????ªã???????¨æ???????®ã?§ã????????
?????§ã???????????

??¨ã???????????å®??????«é??è¤??????ºç???????¦ã????¾ã?£ã????®ã?§ã??

以ä?????SecureRandom ???使ã????¤ã?¤å????®æ???????«æ?»ã?????????????§ã?????

--- lib/cgi/session.rb.orig	2009-02-20 19:35:11.000000000 +0900
+++ lib/cgi/session.rb	2011-07-27 12:27:57.000000000 +0900
@@ -25,6 +25,8 @@
 
 require 'cgi'
 require 'tmpdir'
+require 'securerandom'
+require 'digest/md5'
 
 class CGI
 
@@ -174,21 +176,15 @@
     # is used internally for automatically generated
     # session ids. 
     def create_new_id
-      require 'securerandom'
-      begin
-        session_id = SecureRandom.hex(16)
-      rescue NotImplementedError
-        require 'digest/md5'
-        md5 = Digest::MD5::new
-        now = Time::now
-        md5.update(now.to_s)
-        md5.update(String(now.usec))
-        md5.update(String(rand(0)))
-        md5.update(String($$))
-        md5.update('foobar')
-        session_id = md5.hexdigest
-      end
-      session_id
+      r = SecureRandom.random_bytes(16) rescue rand(0).to_s
+      md5 = Digest::MD5::new
+      now = Time::now
+      md5.update(now.to_s)
+      md5.update(String(now.usec))
+      md5.update(r)
+      md5.update(String($$))
+      md5.update('foobar')
+      md5.hexdigest
     end
     private :create_new_id







-- 
http://redmine.ruby-lang.org