harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulex Yang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HARMONY-4663) File.createTempFile() is insecure
Date Wed, 22 Aug 2007 03:28:31 GMT

    [ https://issues.apache.org/jira/browse/HARMONY-4663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12521666
] 

Paulex Yang commented on HARMONY-4663:
--------------------------------------

Imran, 

Thanks for finding this and the wonderful link. IMHO this is a java.util.Random issue more
than java.io.File, because we cannot get much control on the File's permission from Java,
unless we rewrite it in JNI with native OS support. 

About the Random, currently Harmony's default constructor for Random use the sum of current
time and hashcode(inherited behavior from Object and generally internal address of this object)
as seed, do you think it can resolve this issue?  

Or any suggestions from you on this? Thanks a lot.

> File.createTempFile() is insecure
> ---------------------------------
>
>                 Key: HARMONY-4663
>                 URL: https://issues.apache.org/jira/browse/HARMONY-4663
>             Project: Harmony
>          Issue Type: Bug
>          Components: Classlib
>            Reporter: Imran Ghory
>
> createTempFile() generates  a random file name by calling   genTempFile(prefix, newSuffix,
tmpDirFile), however that function generates it's randomness by calling new java.util.Random().nextInt();
which creates a Random() object seeded with the current time. This makes it predictable and
thus insecure[1].
> [1] See section "7.10.1.2. Temporary Files" at  http://www.faqs.org/docs/Linux-HOWTO/Secure-Programs-HOWTO.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message