Switched to SystemRandom() and updated README w/ correct Twitter links. Fixes CVE-2013-4347. Closes #146. Closes #137.

Author: joestump

README.md

@@ -60,7 +60,7 @@ consumer = oauth.Consumer(key="your-twitter-consumer-key",
     secret="your-twitter-consumer-secret")
 
 # Request token URL for Twitter.
-request_token_url = "http://twitter.com/oauth/request_token"
+request_token_url = "https://api.twitter.com/oauth/request_token"
 
 # Create our client.
 client = oauth.Client(consumer)
@@ -84,9 +84,9 @@ import oauth2 as oauth
 consumer_key = 'my_key_from_twitter'
 consumer_secret = 'my_secret_from_twitter'
 
-request_token_url = 'http://twitter.com/oauth/request_token'
-access_token_url = 'http://twitter.com/oauth/access_token'
-authorize_url = 'http://twitter.com/oauth/authorize'
+request_token_url = 'https://api.twitter.com/oauth/request_token'
+access_token_url = 'https://api.twitter.com/oauth/access_token'
+authorize_url = 'https://api.twitter.com/oauth/authorize'
 
 consumer = oauth.Consumer(consumer_key, consumer_secret)
 client = oauth.Client(consumer)
@@ -145,7 +145,7 @@ print
 
 # Logging into Django w/ Twitter
 
-Twitter also has the ability to authenticate a user [via an OAuth flow](http://apiwiki.twitter.com/Sign-in-with-Twitter). This
+Twitter also has the ability to authenticate a user [via an OAuth flow](https://dev.twitter.com/docs/auth/sign-twitter). This
 flow is exactly like the three-legged OAuth flow, except you send them to a 
 slightly different URL to authorize them. 
 
@@ -221,11 +221,11 @@ from mytwitterapp.models import Profile
 consumer = oauth.Consumer(settings.TWITTER_TOKEN, settings.TWITTER_SECRET)
 client = oauth.Client(consumer)
 
-request_token_url = 'http://twitter.com/oauth/request_token'
-access_token_url = 'http://twitter.com/oauth/access_token'
+request_token_url = 'https://api.twitter.com/oauth/request_token'
+access_token_url = 'https://api.twitter.com/oauth/access_token'
 
 # This is the slightly different URL used to authenticate/authorize.
-authenticate_url = 'http://twitter.com/oauth/authenticate'
+authenticate_url = 'https://api.twitter.com/oauth/authenticate'
 
 def twitter_login(request):
     # Step 1. Get a request token from Twitter.
@@ -254,6 +254,7 @@ def twitter_authenticated(request):
     # Step 1. Use the request token in the session to build a new client.
     token = oauth.Token(request.session['request_token']['oauth_token'],
         request.session['request_token']['oauth_token_secret'])
+    token.set_verifier(request.GET['oauth_verifier'])
     client = oauth.Client(consumer, token)
 
     # Step 2. Request the authorized access token from Twitter.

oauth2/__init__.py

@@ -164,12 +164,12 @@ def generate_timestamp():
 
 def generate_nonce(length=8):
     """Generate pseudorandom number."""
-    return ''.join([str(random.randint(0, 9)) for i in range(length)])
+    return ''.join([str(random.SystemRandom().randint(0, 9)) for i in range(length)])
 
 
 def generate_verifier(length=8):
     """Generate pseudorandom number."""
-    return ''.join([str(random.randint(0, 9)) for i in range(length)])
+    return ''.join([str(random.SystemRandom().randint(0, 9)) for i in range(length)])
 
 
 class Consumer(object):
@@ -509,7 +509,7 @@ def make_timestamp(cls):
     @classmethod
     def make_nonce(cls):
         """Generate pseudorandom number."""
-        return str(random.randint(0, 100000000))
+        return str(random.SystemRandom().randint(0, 100000000))
 
     @classmethod
     def from_request(cls, http_method, http_url, headers=None, parameters=None,