aboutsummaryrefslogtreecommitdiff
path: root/tests/data
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2013-06-24 22:24:35 +0200
committerDaniel Stenberg <daniel@haxx.se>2013-06-25 09:55:49 +0200
commit365c5ba39591fab2e60bf4f0e67d9dcf79ecc506 (patch)
tree6e02f6904f12fcd94b1036643bc5064c809e807b /tests/data
parentcb1aa8b0e32068ec4bbbc42d41267420b46a36e7 (diff)
formpost: better random boundaries
When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris"
Diffstat (limited to 'tests/data')
-rw-r--r--tests/data/test1582
-rw-r--r--tests/data/test27710
-rw-r--r--tests/data/test5544
-rw-r--r--tests/data/test5874
4 files changed, 10 insertions, 10 deletions
diff --git a/tests/data/test158 b/tests/data/test158
index 5cbc97ab6..9c4b22f70 100644
--- a/tests/data/test158
+++ b/tests/data/test158
@@ -33,7 +33,7 @@ http://%HOSTIP:%HTTPPORT/158 -F name=daniel
<strip>
^User-Agent:.*
^Content-Type: multipart/form-data.*
-^---------------------------.*
+^-----------------------.*
</strip>
<protocol>
POST /158 HTTP/1.1
diff --git a/tests/data/test277 b/tests/data/test277
index 18e419850..a509b40ec 100644
--- a/tests/data/test277
+++ b/tests/data/test277
@@ -37,8 +37,8 @@ http://%HOSTIP:%HTTPPORT/want/277 -F name=daniel -H "Content-Type: text/info"
^User-Agent:.*
</strip>
<strippart>
-s/^------------------------------[a-z0-9]*/------------------------------/
-s/boundary=----------------------------[a-z0-9]*/boundary=----------------------------/
+s/^--------------------------[a-z0-9]*/--------------------------/
+s/boundary=------------------------[a-z0-9]*/boundary=------------------------/
</strippart>
<protocol>
POST /want/277 HTTP/1.1
@@ -47,13 +47,13 @@ Host: %HOSTIP:%HTTPPORT
Accept: */*
Content-Length: 145
Expect: 100-continue
-Content-Type: text/info; boundary=----------------------------
+Content-Type: text/info; boundary=------------------------
-------------------------------
+--------------------------
Content-Disposition: form-data; name="name"
daniel
---------------------------------
+----------------------------
</protocol>
</verify>
</testcase>
diff --git a/tests/data/test554 b/tests/data/test554
index 9d9bbcca7..8c6b762ef 100644
--- a/tests/data/test554
+++ b/tests/data/test554
@@ -35,8 +35,8 @@ http://%HOSTIP:%HTTPPORT/554
# Verify data after the test has been "shot"
<verify>
<strippart>
-s/^------------------------------[a-z0-9]*/------------------------------/
-s/boundary=----------------------------[a-z0-9]*/boundary=----------------------------/
+s/^--------------------------[a-z0-9]*/------------------------------/
+s/boundary=------------------------[a-z0-9]*/boundary=----------------------------/
</strippart>
# Note that the stripping above removes 12 bytes from every occurance of the
# boundary string and since 5 of them are in the body contents, we see
diff --git a/tests/data/test587 b/tests/data/test587
index 6e1239a6a..d936372c5 100644
--- a/tests/data/test587
+++ b/tests/data/test587
@@ -28,8 +28,8 @@ http://%HOSTIP:%HTTPPORT/587
# Verify data after the test has been "shot"
<verify>
<strippart>
-s/^------------------------------[a-z0-9]*/------------------------------/
-s/boundary=----------------------------[a-z0-9]*/boundary=----------------------------/
+s/^--------------------------[a-z0-9]*/------------------------------/
+s/boundary=------------------------[a-z0-9]*/boundary=----------------------------/
</strippart>
<protocol>
POST /587 HTTP/1.1