From b6215582d81c29905312453b9802e7b9467d9f69 Mon Sep 17 00:00:00 2001
From: Hypercube <hypercube@0x01.me>
Date: Tue, 11 May 2021 11:32:07 +0800
Subject: [PATCH 1/3] Use secure entropy source to generate CSRF tokens

---
 yesod-core/src/Yesod/Core/Dispatch.hs | 16 ++++++++++++++--
 yesod-core/src/Yesod/Core/Types.hs    |  8 +++++++-
 yesod-core/yesod-core.cabal           |  3 ++-
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/yesod-core/src/Yesod/Core/Dispatch.hs b/yesod-core/src/Yesod/Core/Dispatch.hs
index 60779532..959aaae3 100644
--- a/yesod-core/src/Yesod/Core/Dispatch.hs
+++ b/yesod-core/src/Yesod/Core/Dispatch.hs
@@ -46,6 +46,7 @@ import qualified Network.Wai as W
 
 import Data.ByteString.Lazy.Char8 ()
 
+import Data.Bits ((.|.), finiteBitSize, shiftL)
 import Data.Text (Text)
 import qualified Data.ByteString as S
 import qualified Data.ByteString.Lazy as BL
@@ -59,7 +60,7 @@ import Yesod.Core.Class.Dispatch
 import Yesod.Core.Internal.Run
 import Text.Read (readMaybe)
 import System.Environment (getEnvironment)
-import qualified System.Random as Random
+import System.Entropy (getEntropy)
 import Control.AutoUpdate (mkAutoUpdate, defaultUpdateSettings, updateAction, updateFreq)
 import Yesod.Core.Internal.Util (getCurrentMaxExpiresRFC1123)
 
@@ -92,8 +93,19 @@ toWaiAppPlain site = do
             , yreGetMaxExpires = getMaxExpires
             }
 
+-- | Generate a random number uniformly distributed in the full range
+-- of 'Int'.
+--
+-- Note: Before 1.7.0, this generates pseudo-random number in an
+-- unspecified range. The range size may not be a power of 2. Since
+-- 1.7.0, this uses a secure entropy source and generates in the full
+-- range of 'Int'.
 defaultGen :: IO Int
-defaultGen = Random.getStdRandom Random.next
+defaultGen = bsToInt <$> getEntropy bytes
+  where
+    bits = finiteBitSize (undefined :: Int)
+    bytes = div (bits + 7) 8
+    bsToInt = S.foldl' (\v i -> shiftL v 8 .|. fromIntegral i) 0
 
 -- | Pure low level function to construct WAI application. Usefull
 -- when you need not standard way to run your app, or want to embed it
diff --git a/yesod-core/src/Yesod/Core/Types.hs b/yesod-core/src/Yesod/Core/Types.hs
index a33a4f5c..322dce0a 100644
--- a/yesod-core/src/Yesod/Core/Types.hs
+++ b/yesod-core/src/Yesod/Core/Types.hs
@@ -196,7 +196,13 @@ data YesodRunnerEnv site = YesodRunnerEnv
     , yreSite           :: !site
     , yreSessionBackend :: !(Maybe SessionBackend)
     , yreGen            :: !(IO Int)
-    -- ^ Generate a random number
+    -- ^ Generate a random number uniformly distributed in the full
+    -- range of 'Int'.
+    --
+    -- Note: Before 1.7.0, the default value generates pseudo-random
+    -- number in an unspecified range. The range size may not be a power
+    -- of 2. Since 1.7.0, the default value uses a secure entropy source
+    -- and generates in the full range of 'Int'.
     , yreGetMaxExpires  :: !(IO Text)
     }
 
diff --git a/yesod-core/yesod-core.cabal b/yesod-core/yesod-core.cabal
index 41a228b4..b37a05ba 100644
--- a/yesod-core/yesod-core.cabal
+++ b/yesod-core/yesod-core.cabal
@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.6.19.0
+version:         1.7.0
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>
@@ -39,6 +39,7 @@ library
                    , containers            >= 0.2
                    , cookie                >= 0.4.3    && < 0.5
                    , deepseq               >= 1.3
+                   , entropy
                    , fast-logger           >= 2.2
                    , http-types            >= 0.7
                    , memory

From 5deabe53e8085814906ce015c72175c997e0529e Mon Sep 17 00:00:00 2001
From: Hypercube <hypercube@0x01.me>
Date: Tue, 11 May 2021 11:35:59 +0800
Subject: [PATCH 2/3] Update changelog

---
 yesod-core/ChangeLog.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/yesod-core/ChangeLog.md b/yesod-core/ChangeLog.md
index 70041a9f..edcb7e07 100644
--- a/yesod-core/ChangeLog.md
+++ b/yesod-core/ChangeLog.md
@@ -1,5 +1,10 @@
 # ChangeLog for yesod-core
 
+## 1.7.0
+
+* Generate CSRF tokens using a secure entropy source [#1726](https://github.com/yesodweb/yesod/pull/1726)
+* Change semantics of `yreGen` and `defaultGen`
+
 ## 1.6.19.0
 
 * Change order of priority in `languages`[#1721](https://github.com/yesodweb/yesod/pull/1721)

From 1cb0fc579c4562aa3057d2d5fb29b58811071365 Mon Sep 17 00:00:00 2001
From: Hypercube <hypercube@0x01.me>
Date: Tue, 11 May 2021 14:03:51 +0800
Subject: [PATCH 3/3] Change version number

---
 yesod-core/ChangeLog.md               | 2 +-
 yesod-core/src/Yesod/Core/Dispatch.hs | 4 ++--
 yesod-core/src/Yesod/Core/Types.hs    | 4 ++--
 yesod-core/yesod-core.cabal           | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/yesod-core/ChangeLog.md b/yesod-core/ChangeLog.md
index edcb7e07..45793963 100644
--- a/yesod-core/ChangeLog.md
+++ b/yesod-core/ChangeLog.md
@@ -1,6 +1,6 @@
 # ChangeLog for yesod-core
 
-## 1.7.0
+## 1.6.20
 
 * Generate CSRF tokens using a secure entropy source [#1726](https://github.com/yesodweb/yesod/pull/1726)
 * Change semantics of `yreGen` and `defaultGen`
diff --git a/yesod-core/src/Yesod/Core/Dispatch.hs b/yesod-core/src/Yesod/Core/Dispatch.hs
index 959aaae3..8a2501e6 100644
--- a/yesod-core/src/Yesod/Core/Dispatch.hs
+++ b/yesod-core/src/Yesod/Core/Dispatch.hs
@@ -96,9 +96,9 @@ toWaiAppPlain site = do
 -- | Generate a random number uniformly distributed in the full range
 -- of 'Int'.
 --
--- Note: Before 1.7.0, this generates pseudo-random number in an
+-- Note: Before 1.6.20, this generates pseudo-random number in an
 -- unspecified range. The range size may not be a power of 2. Since
--- 1.7.0, this uses a secure entropy source and generates in the full
+-- 1.6.20, this uses a secure entropy source and generates in the full
 -- range of 'Int'.
 defaultGen :: IO Int
 defaultGen = bsToInt <$> getEntropy bytes
diff --git a/yesod-core/src/Yesod/Core/Types.hs b/yesod-core/src/Yesod/Core/Types.hs
index 322dce0a..11a55f1a 100644
--- a/yesod-core/src/Yesod/Core/Types.hs
+++ b/yesod-core/src/Yesod/Core/Types.hs
@@ -199,9 +199,9 @@ data YesodRunnerEnv site = YesodRunnerEnv
     -- ^ Generate a random number uniformly distributed in the full
     -- range of 'Int'.
     --
-    -- Note: Before 1.7.0, the default value generates pseudo-random
+    -- Note: Before 1.6.20, the default value generates pseudo-random
     -- number in an unspecified range. The range size may not be a power
-    -- of 2. Since 1.7.0, the default value uses a secure entropy source
+    -- of 2. Since 1.6.20, the default value uses a secure entropy source
     -- and generates in the full range of 'Int'.
     , yreGetMaxExpires  :: !(IO Text)
     }
diff --git a/yesod-core/yesod-core.cabal b/yesod-core/yesod-core.cabal
index b37a05ba..1c258f15 100644
--- a/yesod-core/yesod-core.cabal
+++ b/yesod-core/yesod-core.cabal
@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.7.0
+version:         1.6.20
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>