From d0c396538b6cd19f0cf4fd56ab9ec2b2aff306d3 Mon Sep 17 00:00:00 2001
From: "Alex V." <119082209+Retengart@users.noreply.github.com>
Date: Sat, 7 Feb 2026 16:50:24 +0300
Subject: [PATCH] fix(security): use secrets.choice instead of random.choices
 for username

Per Python docs, secrets module should be used for security-sensitive
data. random.choices uses Mersenne Twister PRNG which is predictable.
secrets.choice was already used for password generation in the same file.
---
 chatmaild/src/chatmaild/newemail.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/chatmaild/src/chatmaild/newemail.py b/chatmaild/src/chatmaild/newemail.py
index 198afce5..8b484fe6 100644
--- a/chatmaild/src/chatmaild/newemail.py
+++ b/chatmaild/src/chatmaild/newemail.py
@@ -3,7 +3,6 @@
 """CGI script for creating new accounts."""
 
 import json
-import random
 import secrets
 import string
 from urllib.parse import quote
@@ -16,7 +15,9 @@ ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation
 
 
 def create_newemail_dict(config: Config):
-    user = "".join(random.choices(ALPHANUMERIC, k=config.username_max_length))
+    user = "".join(
+        secrets.choice(ALPHANUMERIC) for _ in range(config.username_max_length)
+    )
     password = "".join(
         secrets.choice(ALPHANUMERIC_PUNCT)
         for _ in range(config.password_min_length + 3)