tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 53050] New: org.apache.catalina.session.ManagerBase has issues with update the seed (initialized to System.currentTimeMillis()), since only the 32 least significant bits are changed by the XOR.
Date Mon, 09 Apr 2012 18:08:03 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53050

             Bug #: 53050
           Summary: org.apache.catalina.session.ManagerBase has issues
                    with update the seed (initialized to
                    System.currentTimeMillis()), since only the 32 least
                    significant bits are changed by the XOR.
           Product: Tomcat 6
           Version: 6.0.24
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: andras_rozsa@yahoo.com
    Classification: Unclassified


Line 563: long seed = System.currentTimeMillis();
...
Line 567: long update = ((byte) entropy[i]) << ((i % 8) * 8);
Line 568: seed ^= update;

The byte-cast in Line 567 should be replaced by a long-cast.

With the byte-cast of entropy[i] the long update becomes a 32-bit int, so the
32 most significant bits of the seed will not be updated by the XOR in Line
568.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message