Bugs item #3515103, was opened at 2012-04-05 02:27
Message generated for change (Comment added) made by kwaclaw
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3515103&group_id=10127

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Marcus Meissner (marcusmeissner)
Assigned to: Nobody/Anonymous (nobody)
Summary: randomness for hash fix not enough

Initial Comment:
Hi,

the hash initialization with the current time(2) (seconds since 1970) is not
random enough in my opinion.
Attackers could guess and inject entries tailored to this specific second (or the ones around it).

If you use timebased tehcnologies, try gettimeofday() and use the fractional part tv_usec perhaps.?

----------------------------------------------------------------------
Date: 2012-04-05 06:34

Message:
I am open to concrete suggestions/patches, but I won't have time for
another release soon.

In any case, you can supply your own hash salt - after creating the parser,
but before parsing is started. See the new API function XML_SetHashSalt.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3515103&group_id=10127