uuid4 from Math.random is a security flaw

butterfly/routes.py

@@ -19,14 +19,16 @@
 import json
 import os
 import sys
+from collections import defaultdict
+from mimetypes import guess_type
+from uuid import uuid4
+
+import tornado.escape
 import tornado.options
 import tornado.process
-import tornado.escape
 import tornado.web
 import tornado.websocket
-from mimetypes import guess_type
-from collections import defaultdict
-from butterfly import url, Route, utils, __version__
+from butterfly import Route, __version__, url, utils
 from butterfly.terminal import Terminal
 
 
@@ -41,7 +43,8 @@ class Index(Route):
     def get(self, user, path, session):
         if not tornado.options.options.unsecure and user:
             raise tornado.web.HTTPError(400)
-        return self.render('index.html')
+        return self.render(
+            'index.html', session=session or str(uuid4()))
 
 
 @url(r'/theme/([^/]+)/style.css')

butterfly/static/main.js

@@ -1,5 +1,5 @@
 (function() {
-  var $, State, Terminal, cancel, cols, openTs, quit, rows, s, uuid, ws,
+  var $, State, Terminal, cancel, cols, openTs, quit, rows, s, ws,
     indexOf = [].indexOf || function(item) { for (var i = 0, l = this.length; i < l; i++) { if (i in this && this[i] === item) return i; } return -1; };
 
   cols = rows = null;
@@ -15,15 +15,6 @@
 
   $ = document.querySelectorAll.bind(document);
 
-  uuid = function() {
-    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) {
-      var r, v;
-      r = Math.random() * 16 | 0;
-      v = c === 'x' ? r : r & 0x3 | 0x8;
-      return v.toString(16);
-    });
-  };
-
   document.addEventListener('DOMContentLoaded', function() {
     var close, ctl, error, init_ctl_ws, init_shell_ws, open, path, reopenOnClose, rootPath, term, write, write_request, wsUrl;
     term = null;
@@ -39,7 +30,7 @@
     wsUrl += document.location.host + rootPath;
     path = location.pathname;
     if (path.indexOf('/session') < 0) {
-      path += "session/" + (uuid());
+      path += "session/" + (document.body.getAttribute('data-session-token'));
     }
     path += location.search;
     ws.shell = new WebSocket(wsUrl + '/ws' + path);

butterfly/templates/index.html

@@ -1,5 +1,6 @@
 <!DOCTYPE html>
 {% from tornado.options import options %}
+{% from uuid import uuid4 %}
 <html>
   <head>
     <meta charset="utf-8">
@@ -15,7 +16,8 @@
 
   <body spellcheck="false"
         data-force-unicode-width="{{ 'yes' if options.force_unicode_width else 'no' }}"
-        data-root-path="{{ options.uri_root_path }}">
+        data-root-path="{{ options.uri_root_path }}"
+        data-session-token={{ session }}>
     <div id="popup" class="hidden">
     </div>
     <script src="{{ static_url('html-sanitizer.js') }}"></script>

coffees/main.coffee

@@ -25,12 +25,6 @@ ws =
 
 $ = document.querySelectorAll.bind(document)
 
-uuid = ->
-  'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace /[xy]/g, (c) ->
-    r = Math.random() * 16 | 0
-    v = if c is 'x' then r else (r & 0x3|0x8)
-    v.toString(16)
-
 document.addEventListener 'DOMContentLoaded', ->
   term = null
 
@@ -46,7 +40,7 @@ document.addEventListener 'DOMContentLoaded', ->
   wsUrl += document.location.host + rootPath
   path = location.pathname
   if path.indexOf('/session') < 0
-    path += "session/#{uuid()}"
+    path += "session/#{document.body.getAttribute('data-session-token')}"
 
   path += location.search