harmony-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulex Yang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HARMONY-4663) File.createTempFile() is insecure
Date Fri, 24 Aug 2007 03:34:31 GMT

    [ https://issues.apache.org/jira/browse/HARMONY-4663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12522364

Paulex Yang commented on HARMONY-4663:

OK, I agree to use SecureRandom instead. 

About the Random() constructor, it seems RI (Sun JDK 5) has changed the behavior to use only
current time as seed, at least doesn't depend System.currentTimeMillis() only any more. see
test below:

import java.util.*;
public class RandomTest{
    public static void main(String[] args){
        long time = System.currentTimeMillis();
        Random r1 = new Random();
        long time2 = System.currentTimeMillis();
        System.out.println("If at same millis second? "+(time==time2));
        Random r2 = new Random(time);
        System.out.println("first int with default constructor: "+r1.nextInt());
        System.out.println("first int with explicit seed of current time: "+r2.nextInt());

Generally it outputs:

If at same millis second? true
first int with default constructor: 1243876523
first int with explicit seed of current time: 1252033812

> File.createTempFile() is insecure
> ---------------------------------
>                 Key: HARMONY-4663
>                 URL: https://issues.apache.org/jira/browse/HARMONY-4663
>             Project: Harmony
>          Issue Type: Bug
>          Components: Classlib
>            Reporter: Imran Ghory
> createTempFile() generates  a random file name by calling   genTempFile(prefix, newSuffix,
tmpDirFile), however that function generates it's randomness by calling new java.util.Random().nextInt();
which creates a Random() object seeded with the current time. This makes it predictable and
thus insecure[1].
> [1] See section " Temporary Files" at  http://www.faqs.org/docs/Linux-HOWTO/Secure-Programs-HOWTO.html

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message