#499 randomness for hash fix not enough

open
nobody
None
5
2016-03-28
2012-04-05
No

Hi,

the hash initialization with the current time(2) (seconds since 1970) is not
random enough in my opinion.
Attackers could guess and inject entries tailored to this specific second (or the ones around it).

If you use timebased tehcnologies, try gettimeofday() and use the fractional part tv_usec perhaps.?

Discussion

  • Karl Waclawek

    Karl Waclawek - 2012-04-05

    I am open to concrete suggestions/patches, but I won't have time for another release soon.

    In any case, you can supply your own hash salt - after creating the parser, but before parsing is started. See the new API function XML_SetHashSalt.

     
  • Sebastian Pipping

    The issue is now addressed on Git master. Closing.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks