tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andras Rozsa <andras_ro...@yahoo.com>
Subject Tomcat 6 org.apache.catalina.session.ManagerBase issue
Date Mon, 09 Apr 2012 02:04:32 GMT
Tomcat Developers,

I am a UCCS student and the project I have been working on is related to session ID generation.

I have checked the source code of Tomcat 6 (6.0.24) and I think I have found a mistake.

org.apache.catalina.session.ManagerBase


Line 567: long update = ((byte) entropy[i]) << ((i % 8) * 8);

This solution is not perfect.

The update will be a 32-bit integer this way, so only the 32 LSB of the seed will be modified
by entropy through the XOR.
The byte casting should be replaced by a long casting.

like this: long update = ((long) entropy[i]) << ((i % 8) * 8);

I hope you understand my point.


Sincerely,Andras Rozsa
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message