mirror of
https://github.com/curl/curl.git
synced 2025-04-12 16:20:35 +08:00
365c5ba395
When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris"
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
| (__| |_| | _ <| |___
\___|\___/|_| \_\_____|
README
Curl is a command line tool for transferring data specified with URL
syntax. Find out how to use curl by reading the curl.1 man page or the
MANUAL document. Find out how to install Curl by reading the INSTALL
document.
libcurl is the library curl is using to do its job. It is readily
available to be used by your software. Read the libcurl.3 man page to
learn how!
You find answers to the most frequent questions we get in the FAQ document.
Study the COPYING file for distribution terms and similar. If you distribute
curl binaries or other binaries that involve libcurl, you might enjoy the
LICENSE-MIXING document.
CONTACT
If you have problems, questions, ideas or suggestions, please contact us
by posting to a suitable mailing list. See http://curl.haxx.se/mail/
All contributors to the project are listed in the THANKS document.
WEB SITE
Visit the curl web site for the latest news and downloads:
http://curl.haxx.se/
GIT
To download the very latest source off the GIT server do this:
git clone git://github.com/bagder/curl.git
(you'll get a directory named curl created, filled with the source code)
NOTICE
Curl contains pieces of source code that is Copyright (c) 1998, 1999
Kungliga Tekniska Högskolan. This notice is included here to comply with the
distribution terms.