Closed Bug 476622 Opened 16 years ago Closed 16 years ago

Assure that mod_perl children always receive a different srand() seed

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Version:
3.0.7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 3.2

People

(Reporter: mkanat, Assigned: mkanat)

References

Details

Attachments

(1 file)

v1
674 bytes, patch
gozer
: review+
Details | Diff | Splinter Review
We need to make sure that bug 476594 can never happen again. gozer recommends calling srand with a sufficiently random value in PerlChildInitHandler. To me, the default srand later than Perl 5.004 sounds fine, particularly if it actually does use /dev/random on Unix platforms: http://perldoc.perl.org/functions/srand.html Granted, it doesn't have /dev/random on Windows, but it still uses a fairly random seed.
Yes, that's correct, I forgot about that. So, adding PerlChildInitHandler "sub { srand(); }" to httpd.conf should be sufficient.
Oh hmm. This isn't all that easy for us to automatically set up for our users, because all of our configuration happens inside of a <Directory> block in mod_perl.pl, where PerlChildInitHandler isn't valid. Is there anything that's valid inside a Directory block that would be appropriate to call srand inside of? Otherwise we have to tell people to update their httpd.conf, which isn't something I want to depend on in the future for Bugzilla to be secure, particularly as some people may not notice that they have to update it when they update Bugzilla.
Oh wait, nevermind. We can just add it outside of the Directory block. Duh.
Attached patch v1Splinter Review
Okay, here we go. I tested this on landfill and it doesn't seem to throw an error or anything.
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #360349 - Flags: review?(gozer)
Comment on attachment 360349 [details] [diff] [review] v1 Looks good.
Attachment #360349 - Flags: review?(gozer) → review+
(In reply to comment #5) > (From update of attachment 360349 [details] [diff] [review]) > Looks good. Small nit on the comment. I'd say something like: # Make sure each httpd child receives a different random seed (bug 476622)
Might as well put it in 3.2, too, seems harmless and protects us against possible future mistakes.(In reply to comment #6) > (In reply to comment #5) > # Make sure each httpd child receives a different random seed (bug 476622) Ah, yeah, that's a good change, I'll do that.
Flags: approval3.2+
Flags: approval+
Target Milestone: Bugzilla 3.4 → Bugzilla 3.2
tip/3.4: Checking in mod_perl.pl; /cvsroot/mozilla/webtools/bugzilla/mod_perl.pl,v <-- mod_perl.pl new revision: 1.11; previous revision: 1.10 done 3.2: Checking in mod_perl.pl; /cvsroot/mozilla/webtools/bugzilla/mod_perl.pl,v <-- mod_perl.pl new revision: 1.10.2.1; previous revision: 1.10 done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Summary: Assure that mod_perl children always receive a sufficiently random srand() seed → Assure that mod_perl children always receive a different srand() seed
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: