Assure that mod_perl children always receive a different srand() seed

RESOLVED FIXED in Bugzilla 3.2

Status

()

Bugzilla
Bugzilla-General
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Max Kanat-Alexander, Assigned: Max Kanat-Alexander)

Tracking

3.0.7
Bugzilla 3.2
Bug Flags:
approval +
approval3.2 +

Details

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
We need to make sure that bug 476594 can never happen again. gozer recommends calling srand with a sufficiently random value in PerlChildInitHandler.

To me, the default srand later than Perl 5.004 sounds fine, particularly if it actually does use /dev/random on Unix platforms:

  http://perldoc.perl.org/functions/srand.html

Granted, it doesn't have /dev/random on Windows, but it still uses a fairly random seed.
Yes, that's correct, I forgot about that.

So, adding

PerlChildInitHandler "sub { srand(); }"

to httpd.conf should be sufficient.
(Assignee)

Comment 2

9 years ago
Oh hmm. This isn't all that easy for us to automatically set up for our users, because all of our configuration happens inside of a <Directory> block in mod_perl.pl, where PerlChildInitHandler isn't valid. Is there anything that's valid inside a Directory block that would be appropriate to call srand inside of? Otherwise we have to tell people to update their httpd.conf, which isn't something I want to depend on in the future for Bugzilla to be secure, particularly as some people may not notice that they have to update it when they update Bugzilla.
(Assignee)

Comment 3

9 years ago
Oh wait, nevermind. We can just add it outside of the Directory block. Duh.
(Assignee)

Comment 4

9 years ago
Created attachment 360349 [details] [diff] [review]
v1

Okay, here we go. I tested this on landfill and it doesn't seem to throw an error or anything.
Assignee: general → mkanat
Status: NEW → ASSIGNED
Attachment #360349 - Flags: review?(gozer)
Comment on attachment 360349 [details] [diff] [review]
v1

Looks good.
Attachment #360349 - Flags: review?(gozer) → review+
(In reply to comment #5)
> (From update of attachment 360349 [details] [diff] [review])
> Looks good.

Small nit on the comment.

I'd say something like:

# Make sure each httpd child receives a different random seed (bug 476622)
(Assignee)

Comment 7

9 years ago
Might as well put it in 3.2, too, seems harmless and protects us against possible future mistakes.(In reply to comment #6)

> (In reply to comment #5)

> # Make sure each httpd child receives a different random seed (bug 476622)

  Ah, yeah, that's a good change, I'll do that.
Flags: approval3.2+
Flags: approval+
Target Milestone: Bugzilla 3.4 → Bugzilla 3.2
(Assignee)

Comment 8

9 years ago
tip/3.4:

Checking in mod_perl.pl;
/cvsroot/mozilla/webtools/bugzilla/mod_perl.pl,v  <--  mod_perl.pl
new revision: 1.11; previous revision: 1.10
done

3.2:

Checking in mod_perl.pl;
/cvsroot/mozilla/webtools/bugzilla/mod_perl.pl,v  <--  mod_perl.pl
new revision: 1.10.2.1; previous revision: 1.10
done
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Summary: Assure that mod_perl children always receive a sufficiently random srand() seed → Assure that mod_perl children always receive a different srand() seed
You need to log in before you can comment on or make changes to this bug.