Am 15.08.2008 12:05, Sven Joachim schrieb:
On 2008-08-15 11:21 +0200, Riku Voipio wrote:
using only 5 * X as in your version makes your app quite possibly
brute-forceable.
Not really, to make mktemp fail with 5 X's an attacker would have to
create 52^5 = 380204032 file names, which would probably make the file
system run out of inodes.
WRT 52: Oh, yes. I missed lower case chars ;-) So my calculation
for the right system (TM) -- including numbers -- would be even better: 62^5.
This is the way it should be (Opensuse):
I suspect opensuse uses the gnu coreutils version of mktemp?
Seems so. Opensuse 11.0 no longer has an mktemp package, while their
package from 10.3 shows the same behavior as the Debian version.
<OT> Good point, can confirm it on opensuse 10.2 </OT>
>
> Apart from the pid, mktemp only uses the letters A-Z and a-z.
Yes, looking at it more closely: That's another point which is not
understandable. Please use numbers, too (see point a in initial e-mail) !
Cheers,
Dirk
--
Dirk Wetter @ Dr. Wetter IT Consulting http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3 64E5 C967 34D8 11B7 C62F
-
Found core file older than 7 days: /usr/share/man/man5/core.5.gz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
