From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Wed, 27 Apr 2011 22:03:41 +0000 (-0700)
Subject: Bug 646578: Remove the usage of Math::Random::Secure, as it is too difficult
X-Git-Tag: bugzilla-3.4.11~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d53847d00a6da0f1668a7b98fc233588d0780a4;p=thirdparty%2Fbugzilla.git

Bug 646578: Remove the usage of Math::Random::Secure, as it is too difficult
to install on older branches.
r=LpSolit, a=mkanat
---

diff --git a/Bugzilla/Install/Requirements.pm b/Bugzilla/Install/Requirements.pm
index 019661f0fa..586ace7502 100644
--- a/Bugzilla/Install/Requirements.pm
+++ b/Bugzilla/Install/Requirements.pm
@@ -289,12 +289,6 @@ sub OPTIONAL_MODULES {
         version => '3.51',
         feature => 'Recommended important security fix'
     },
-    {
-        package => 'Math-Random-Secure',
-        module  => 'Math::Random::Secure',
-        version => '0.05',
-        feature => 'Improve cookie and token security',
-    },
     );
 
     my $all_modules = _get_extension_requirements(
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 552fd7f65d..c6b3abb31d 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -584,24 +584,16 @@ sub bz_crypt {
 # strength of the string in bits.
 sub generate_random_password {
     my $size = shift || 10; # default to 10 chars if nothing specified
-    my $rand;
-    if (eval { require Math::Random::Secure; 1; }) {
-        $rand = \&Math::Random::Secure::irand;
-    }
-    else {
-        # For details on why this block works the way it does, see bug 619594.
-        # (Note that we don't do this if Math::Random::Secure is installed,
-        # because we don't need to.)
-        my $counter = 0;
-        $rand = sub {
-            # If we regenerate the seed every 5 characters, our seed is roughly
-            # as strong (in terms of bit size) as our randomly-generated
-            # string itself.
-            _do_srand() if ($counter % 5) == 0;
-            $counter++;
-            return int(rand $_[0]);
-        };
-    }
+    my $counter = 0;
+    # For details on why this block works the way it does, see bug 619594.
+    my $rand = sub {
+        # If we regenerate the seed every 5 characters, our seed is roughly
+        # as strong (in terms of bit size) as our randomly-generated
+        # string itself.
+        _do_srand() if ($counter % 5) == 0;
+        $counter++;
+        return int(rand $_[0]);
+    };
     return join("", map{ ('0'..'9','a'..'z','A'..'Z')[$rand->(62)] } 
                        (1..$size));
 }
diff --git a/mod_perl.pl b/mod_perl.pl
index f4192ec7f7..207430d6eb 100644
--- a/mod_perl.pl
+++ b/mod_perl.pl
@@ -44,9 +44,6 @@ use Bugzilla::Mailer ();
 use Bugzilla::Template ();
 use Bugzilla::Util ();
 
-# For PerlChildInitHandler
-eval { require Math::Random::Secure };
-
 # This means that every httpd child will die after processing
 # a CGI if it is taking up more than 70MB of RAM all by itself.
 $Apache2::SizeLimit::MAX_UNSHARED_SIZE = 70000;
@@ -57,13 +54,7 @@ my $cgi_path = Bugzilla::Constants::bz_locations()->{'cgi_path'};
 my $server = Apache2::ServerUtil->server;
 my $conf = <<EOT;
 # Make sure each httpd child receives a different random seed (bug 476622).
-# Math::Random::Secure has one srand that needs to be called for
-# every process, and Perl has another. (Various Perl modules still use
-# the built-in rand(), even though we only use Math::Random::Secure in
-# Bugzilla itself, so we need to srand() both of them.) However, 
-# Math::Random::Secure may not be installed, so we call its srand in an
-# eval.
-PerlChildInitHandler "sub { eval { Math::Random::Secure::srand() }; srand(); }"
+PerlChildInitHandler "sub { srand(); }"
 <Directory "$cgi_path">
     AddHandler perl-script .cgi
     # No need to PerlModule these because they're already defined in mod_perl.pl