http://www.nruns.com/_downloads/advisory28122011.pdf
Should we add some randomization to prevent abuse?
It's hard to anticipate how folks might leverage apr, and how malicious
folks might then seek to exploit computational workload vectors.
Thoughts?
On Thu, Jan 5, 2012 at 12:45 PM, William A. Rowe Jr.
wr...@rowe-clan.net wrote:
http://www.nruns.com/_downloads/advisory28122011.pdf
Should we add some randomization to prevent abuse?
It's hard to anticipate how folks might leverage apr, and how malicious
folks might then seek to exploit
On 1/5/2012 12:37 PM, Ben Laurie wrote:
On Thu, Jan 5, 2012 at 5:45 PM, William A. Rowe Jr. wr...@rowe-clan.net
wrote:
http://www.nruns.com/_downloads/advisory28122011.pdf
Should we add some randomization to prevent abuse?
Yes.
So my question comes down to, if we want to preserve using
On Thu, 2012-01-05 at 11:45 -0600, William A. Rowe Jr. wrote:
Should we add some randomization to prevent abuse?
There are Ruby patches in RH bug database that may help as an example:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4815
--
Bojan
On Thu, 2012-01-05 at 11:45 -0600, William A. Rowe Jr. wrote:
Should we add some randomization to prevent abuse?
No idea whether this is something that may be useful, but here it is
nevertheless. At least it can be used as an example of what not to
do. :-)
--
Bojan
Index: tables/apr_hash.c
On 1/5/2012 4:13 PM, Bojan Smojver wrote:
On Thu, 2012-01-05 at 11:45 -0600, William A. Rowe Jr. wrote:
Should we add some randomization to prevent abuse?
No idea whether this is something that may be useful, but here it is
nevertheless. At least it can be used as an example of what not to
On Thu, 2012-01-05 at 16:39 -0600, William A. Rowe Jr. wrote:
Question; do we want each hash to have a unique randomization factor?
That would probably be more secure. As is, seed would be initialised
just once per process.
The apr_hashfunc_t function prototype would then most likely have to
On Fri, 2012-01-06 at 09:48 +1100, Bojan Smojver wrote:
The apr_hashfunc_t function prototype would then most likely have to
change. We'd probably need to pass the hash itself into it, which
would then hold the per-hash seed. Right?
Actually, that would not be a good plan. A custom hash
On Fri, 2012-01-06 at 10:05 +1100, Bojan Smojver wrote:
Any other ideas?
Maybe like this?
--
Bojan
Index: tables/apr_hash.c
===
--- tables/apr_hash.c (revision 1227896)
+++ tables/apr_hash.c (working copy)
@@ -75,7 +75,7 @@