[Disclaimer: I don't know anything about OAuth, or python-oauth2.] * Paul Wise <pabs@debian.org>, 2013-10-09, 07:41:
On Wed, Oct 9, 2013 at 5:46 AM, Philippe Makowski wrote:do you think that for fixing that, usingreturn ''.join(random.choice('abcdefghijklmnopqrstuvwxyz123456789') for i in xrange(length))...would be an acceptable fix ?No, from the announcement of this issue on oss-sec:... the Python 'random' documentation clearly states the results are repeatable ...http://www.openwall.com/lists/oss-security/2013/09/12/5
Yeah, the oss-sec mail is about using a RNG that is not suitable for cryptographic purposes. This can be easily fixed by using "random.SystemRandom" (which uses /dev/urandom) instead of the "random" module directly (which has a Mersenne Twister under the hood).
Confusingly, the mail also points to upstream bug report[0], which is about an (almost) orthogonal problem. Philippe's fix would make birthday attacks harder. Note however that make_nonce() and generate_nonce() docstrings say "generate pseudorandom number", so they would have to be updated accordingly.
[0] https://github.com/simplegeo/python-oauth2/issues/9 -- Jakub Wilk