#499 randomness for hash fix not enough

open
nobody
None
5
2012-04-05
2012-04-05
Marcus Meissner
No

Hi,

the hash initialization with the current time(2) (seconds since 1970) is not
random enough in my opinion.
Attackers could guess and inject entries tailored to this specific second (or the ones around it).

If you use timebased tehcnologies, try gettimeofday() and use the fractional part tv_usec perhaps.?

Discussion

  • Karl Waclawek
    Karl Waclawek
    2012-04-05

    I am open to concrete suggestions/patches, but I won't have time for another release soon.

    In any case, you can supply your own hash salt - after creating the parser, but before parsing is started. See the new API function XML_SetHashSalt.