Merge pull request #857 from martinthomson/bug/856

Fix for ID generation vulnerability #856
socketio · Apr 26, 2012 · de1afe1 · de1afe1
2 parents fe6dd87 + aaad106
commit de1afe1
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/lib/manager.js b/lib/manager.js
@@ -11,6 +11,7 @@
 var fs = require('fs')
   , url = require('url')
   , tty = require('tty')
+  , crypto = require('crypto')
   , util = require('./util')
   , store = require('./store')
   , client = require('socket.io-client')
@@ -139,6 +140,8 @@ function Manager (server, options) {
     self.emit('connection', conn);
   });
 
+  this.sequenceNumber = Date.now() | 0;
+
   this.log.info('socket.io started');
 };
 
@@ -703,8 +706,18 @@ Manager.prototype.handleClient = function (data, req) {
  */
 
 Manager.prototype.generateId = function () {
-  return Math.abs(Math.random() * Math.random() * Date.now() | 0).toString()
-    + Math.abs(Math.random() * Math.random() * Date.now() | 0).toString();
+  var rand = new Buffer(15); // multiple of 3 for base64
+  this.sequenceNumber = (this.sequenceNumber + 1) | 0;
+  rand.writeInt32BE(this.sequenceNumber, 11);
+  if (crypto.randomBytes) {
+    crypto.randomBytes(12).copy(rand);
+  } else {
+    // not secure for node 0.4
+    [0, 4, 8].forEach(function(i) {
+      rand.writeInt32BE(Math.random() * Math.pow(2, 32) | 0, i);
+    });
+  }
+  return rand.toString('base64').replace(/\//g, '_').replace(/\+/g, '-');
 };
 
 /**