cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1251 Form boundary string should be truly random

From: Dan Fandrich <dfandrich_at_users.sf.net>
Date: Mon, 24 Jun 2013 23:42:19 +0000

I can't think of any reason to strip off the bottom 8 bits of each random number when generating the multipart line. More randomness is better, after all, and those extra bits are free! In fact, some of those redundant dashes could be replaced with another 32 bits of entropy with little effort.

On a side note, the previous use of a non cryptographically-secure PRNG in Curl_sasl_create_digest_md5_message gives me a bad feeling. I wonder what security impact that had?

---
** [bugs:#1251] Form boundary string should be truly random**
**Status:** open
**Created:** Mon Jun 24, 2013 11:24 AM UTC by Floris
**Last Updated:** Mon Jun 24, 2013 10:39 PM UTC
**Owner:** Daniel Stenberg
The use of predicatable pseudo-random numbers to generate the multipart/form boundary can lead to security issues in software using libcurl.
See: http://localhost.re/p/solusvm-whmcs-module-316-vulnerability
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2013-06-25

These mail archives are generated by hypermail.

donate! Page updated May 06, 2013.
web site info

File upload with ASP.NET