From e3a854a4305004b1b930dcde16e609ebccc9d78b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
Date: Wed, 28 May 2025 16:21:08 +0200
Subject: [PATCH] Use Crypt::URandom for generation of nonce

See https://nvd.nist.gov/vuln/detail/CVE-2024-58036

The result is a string of hex digits with the same length as before, 16.


Bug: https://github.com/norbu09/Net--Dropbox/issues/19
Bug-Debian: https://bugs.debian.org/1102147
Origin: https://github.com/norbu09/Net--Dropbox/pull/20

---
 Makefile.PL            | 2 +-
 lib/Net/Dropbox/API.pm | 4 ++--
 t/nonce.t              | 9 +++++++++
 3 files changed, 12 insertions(+), 3 deletions(-)
 create mode 100644 t/nonce.t

diff --git a/Makefile.PL b/Makefile.PL
index 0865ac2..301aac2 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -12,7 +12,7 @@ requires 'JSON';
 requires 'Mouse';
 requires 'Encode';
 requires 'Net::OAuth';
-requires 'Data::Random';
+requires 'Crypt::URandom';
 requires 'common::sense';
 requires 'File::Basename';
 requires 'LWP::UserAgent';
diff --git a/lib/Net/Dropbox/API.pm b/lib/Net/Dropbox/API.pm
index bcdec21..3d53799 100644
--- a/lib/Net/Dropbox/API.pm
+++ b/lib/Net/Dropbox/API.pm
@@ -8,7 +8,7 @@ use Net::OAuth;
 use LWP::UserAgent;
 use URI;
 use HTTP::Request::Common;
-use Data::Random qw(rand_chars);
+use Crypt::URandom qw(urandom);
 use Encode;
 
 =head1 NAME
@@ -382,7 +382,7 @@ Generate a different nonce for every request.
 
 =cut
 
-sub nonce { join( '', rand_chars( size => 16, set => 'alphanumeric' )); }
+sub nonce { unpack("H*", urandom(8)); }
 
 sub _talk {
     my $self    = shift;
diff --git a/t/nonce.t b/t/nonce.t
new file mode 100644
index 0000000..7be9762
--- /dev/null
+++ b/t/nonce.t
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+use Test::More;
+use Net::Dropbox::API;
+
+my $nonce = Net::Dropbox::API::nonce();
+like $nonce, qr{^[a-zA-Z0-9]{16}\z}, 'expected nonce content';
+
+done_testing;