-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hypnotoad children should srand after fork #402
Comments
This is a general Perl problem, not sure Hypnotoad should care about it. Why would you use rand() in a security feature anyway? Shouldn't you be using something like Crypt::Random instead? |
Then it is more a UNIX-fork-design problem rather than a Perl problem, IMHO. rand() is crucial and I suppose many modules use it internally. There is no safe way of keeping developers from stepping into this pitfall. |
From the
|
rand() can be good enough for a lot of cases. If you don't want to fix it in Hypnotoad, what can I do to fix the problem in my app, when I want/must use rand()? Is there a way for me to call srand(), when Hypnotoad forks? |
Agreed. And anyway, if you're generating secrets using rand(), you have -- ams |
Looks like everyone's weighed in; even me earlier, when I neglected to click the submit comment button. Trying to protect against folks ignoring the Perl docs seems like a bad road to travel. |
Closing ticket - feel free to re-open if you have further arguments. |
If rand() was called before fork - i.e. unnoticed by the app developer in a plugin - all children will issue the same sequence of random numbers.
Very simple example:
Run this under hypnotoad.
As a matter of fact this is a potential security issue when generating any sort of secret tokens in a forked process.
The text was updated successfully, but these errors were encountered: