harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Imran Ghory (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HARMONY-4663) File.createTempFile() is insecure
Date Wed, 22 Aug 2007 19:24:31 GMT

    [ https://issues.apache.org/jira/browse/HARMONY-4663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12521901
] 

Imran Ghory commented on HARMONY-4663:
--------------------------------------

hmm acccording to the 1.4.2 api spec the default Random() constructor _has to_ seed itself
using just the time, although this requirement seems to have disappeared in 1.5 onwards, 
but I can't find anything in the 1.5 changelog to explain this change.

But for this bug I think we should resolve it by replacing Random with java.security.SecureRandom
algorithm.

> File.createTempFile() is insecure
> ---------------------------------
>
>                 Key: HARMONY-4663
>                 URL: https://issues.apache.org/jira/browse/HARMONY-4663
>             Project: Harmony
>          Issue Type: Bug
>          Components: Classlib
>            Reporter: Imran Ghory
>
> createTempFile() generates  a random file name by calling   genTempFile(prefix, newSuffix,
tmpDirFile), however that function generates it's randomness by calling new java.util.Random().nextInt();
which creates a Random() object seeded with the current time. This makes it predictable and
thus insecure[1].
> [1] See section "7.10.1.2. Temporary Files" at  http://www.faqs.org/docs/Linux-HOWTO/Secure-Programs-HOWTO.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message