Mailing Lists
|
|
cURL Mailing List Monthly Index Single Mail
curl-tracker Archives
[curl:bugs] #1251 Form boundary string should be truly random
From: brim <brimston3_at_users.sf.net>
Date: Mon, 24 Jun 2013 21:18:45 +0000
Thank you, Daniel. I applied your patch to my local git repository and it solves the problem we were having (predictability of the form boundary). I agree that the libcurl users should be sanitizing their inputs, however, there is no way to tell what form boundary libcurl may use and test for that specifically. It may be beneficial to share that information with the host program somehow, though I realize it changes with attachment depth. This patch is sufficient.
--- ** [bugs:#1251] Form boundary string should be truly random** **Status:** open **Created:** Mon Jun 24, 2013 11:24 AM UTC by Floris **Last Updated:** Mon Jun 24, 2013 08:31 PM UTC **Owner:** Daniel Stenberg The use of predicatable pseudo-random numbers to generate the multipart/form boundary can lead to security issues in software using libcurl. See: http://localhost.re/p/solusvm-whmcs-module-316-vulnerability --- Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.Received on 2013-06-24 These mail archives are generated by hypermail. |
Page updated May 06, 2013.
web site info