This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author barry
Recipients barry
Date 2014-11-06.20:07:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1415304446.34.0.331764401827.issue22807@psf.upfronthosting.co.za>
In-reply-to
Content
I'm classifying this as a security issue, since using uuid_generate_time() -- i.e. the not _safe() variety -- does return collisions in real world cases that we've seen, and those could have security implications. However, I don't know that this can be exploited in any real world cases, so I'm not making it private or sending to security@.

The basic problem is that uuid.uuid1() uses uuid_generate_time(3), but if the synchronization methods used in that C function's manpage are not used, then two concurrent processes can -- and do in our cases -- return the same UUID.

I would propose that if uuid_generate_time_safe() is available, this should be used instead, and the return value should be checked to see if a safe method was used.  If not, then uuid1() should fall back to the pure-Python approach.
History
Date User Action Args
2014-11-06 20:07:26barrysetrecipients: + barry
2014-11-06 20:07:26barrysetmessageid: <1415304446.34.0.331764401827.issue22807@psf.upfronthosting.co.za>
2014-11-06 20:07:26barrylinkissue22807 messages
2014-11-06 20:07:25barrycreate