Jarkko Hietaniemi wrote: > > Are we sure that one seed computed at script start is safe-enough? > > If the CGI server is up for months cannot the bad-hat deduce the seed > > and tailor the exploit to match? > > I think yes.
CGI programs are forked at each request. However, if I understand correctly, mod_perl enhanced apaches will only recompute the seed at apache startup (or restart) time (and _not_ at graceful restart time.) (I'll have to check this.) > But unless we use a balanced data structure to implement the hashes, > someone will always be able to find a way to create degenerate data > structures. The random seed only makes the guessing harder. Yes. Figuring out the seed sounds quite difficult. > > I dislike environment variables affecting the way programs work. > > Like PATH or PERL5LIB or LD_LIBRARY_PATH or ...? or PERLIO ? ;-)