Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hypnotoad children should srand after fork #402

Closed
augensalat opened this issue Oct 24, 2012 · 7 comments
Closed

hypnotoad children should srand after fork #402

augensalat opened this issue Oct 24, 2012 · 7 comments
Assignees
@tempire

Comments

@augensalat
Copy link
Contributor

If rand() was called before fork - i.e. unnoticed by the app developer in a plugin - all children will issue the same sequence of random numbers.

Very simple example:

use Mojolicious::Lite;

my $random = rand;

get '/' => sub {
  $_[0]->stash(pid => $$, random => rand);
} => 'index';

app->start;

__DATA__

@@ index.html.ep
<%= $pid %>: <%= $random %>

Run this under hypnotoad.

As a matter of fact this is a potential security issue when generating any sort of secret tokens in a forked process.
@kraih
Copy link
Member

kraih commented Oct 24, 2012

This is a general Perl problem, not sure Hypnotoad should care about it. Why would you use rand() in a security feature anyway? Shouldn't you be using something like Crypt::Random instead?

@augensalat
Copy link
Contributor Author

Then it is more a UNIX-fork-design problem rather than a Perl problem, IMHO.

rand() is crucial and I suppose many modules use it internally. There is no safe way of keeping developers from stepping into this pitfall.

@kraih
Copy link
Member

kraih commented Oct 24, 2012

From the rand() documentation.

"rand()" is not cryptographically secure. You should not rely
on it in security-sensitive situations. As of this writing, a
number of third-party CPAN modules offer random number
generators intended by their authors to be cryptographically
secure, including: Data::Entropy, Crypt::Random,
Math::Random::Secure, and Math::TrulyRandom.

@augensalat
Copy link
Contributor Author

rand() can be good enough for a lot of cases.

If you don't want to fix it in Hypnotoad, what can I do to fix the problem in my app, when I want/must use rand()? Is there a way for me to call srand(), when Hypnotoad forks?

@ghost ghost assigned tempire Oct 24, 2012
@amenonsen
Copy link
Contributor

This is a general Perl problem, not sure Hypnotoad should care about it.

Agreed. And anyway, if you're generating secrets using rand(), you have
bigger problems anyway.

-- ams

@tempire
Copy link
Contributor

tempire commented Oct 25, 2012

Looks like everyone's weighed in; even me earlier, when I neglected to click the submit comment button. Trying to protect against folks ignoring the Perl docs seems like a bad road to travel.

@tempire
Copy link
Contributor

tempire commented Oct 25, 2012

Closing ticket - feel free to re-open if you have further arguments.

@tempire tempire closed this as completed Oct 25, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tempire tempire

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@amenonsen @kraih @tempire @augensalat