rt
rt copied to clipboard
Published
20 hours ago •
bestpractical
bestpractical
Rely on safe GUID generation for tokens
Token generation with rand(1024) is not safe to avoid collisions. I could not reproduce this with the Perl/Plack only server but with Apache MPM Prefork and mod_perl2 this happens very often:
root@rt4-dev:/vagrant/work# perl collision.pl
- Round 1
Hash: 78b4ab6083aed2409383ed028ca4fba3
- Round 2
Collision: 78b4ab6083aed2409383ed028ca4fba3 after 2
- Round 3
Hash: 85dee74b96cae0f8a688421b5a20c134
- Round 4
Hash: a5c0e39a26cb0d666564a042701b2830
- Round 5
Collision: 78b4ab6083aed2409383ed028ca4fba3 after 5
- Round 6
Hash: 0b890a36e390b911ded433af9cf8b05d
- Round 7
Collision: 0b890a36e390b911ded433af9cf8b05d after 7
- Round 8
Hash: 8a1b090f145862d3ae8de6c4d60b7c97
- Round 9
Collision: 8a1b090f145862d3ae8de6c4d60b7c97 after 9
- Round 10
Collision: 78b4ab6083aed2409383ed028ca4fba3 after 10
- Round 11
Hash: ebb02427b56b1462fa2656632a33c853
- Round 12
Hash: ff825a5486e9e386ef8ffdbc9e670fb3
- Round 13
Collision: 85dee74b96cae0f8a688421b5a20c134 after 13
# With Data::GUID
root@rt4-dev:/vagrant/work# perl collision.pl
- Round 1
Hash: d76290a6-f568-4af8-83a0-1120736165fa
- Round 2
Hash: d21a1870-fbd5-45a5-b063-309fbf1eaa17
- Round 3
Hash: 7275e1cb-d842-418d-b564-1b11771a9ba0
- Round 4
Hash: 8d1a0bc2-61d3-49fe-82d9-9b9052284887
- Round 5
Hash: 0a5aab3f-0f78-4e41-9994-f5f5d3160a05
- Round 6
Hash: a08d4d06-d44b-4aca-a6eb-92b31246fde2
- Round 7
Hash: 1f3f03e1-8fb5-4740-8b8d-45a3b1773ee5
- Round 8
Hash: 3dd57044-0c73-480d-94f8-cd1a4220ce72
- Round 9
Hash: 3cfa2758-cdb3-4fa0-8c8a-5d0602e6f21d
- Round 10
Hash: 8b4d3bd8-f94d-4ea6-8bee-e26e608cbe8a
- Round 11
Hash: 158df28c-b3f6-4268-bd3e-8668c189e94f
- Round 12
Hash: aa211fcb-a3a4-4075-a782-e6238bda5d97
Tested with
use strict;
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use Data::Dumper;
my $cookie_jar = HTTP::Cookies->new( );
my $ua = LWP::UserAgent->new;
$ua->cookie_jar( $cookie_jar );
my $response = $ua->post('https://192.168.56.10/NoAuth/Login.html', {user => 'root', pass => 'password'});
my %hash;
for (my $i=1; $i<=1000; $i++) {
my $response2 = $ua->get('https://192.168.56.10/Ticket/Update.html?Action=Respond;id=133');
my $content = $response2->content;
if ($content =~ m/name="Token" value="([^"]+)"/) {
print " - Round $i\n";
if (exists $hash{$1}) {
print " Collision: $1 after $i\n"
} else {
$hash{$1} = 1;
print " Hash: $1\n"
}
}
}
It seems that rand() generated same random numbers quite often in your tests, could you add the following line to your apache configuration and see if it fix the collision issue:
PerlChildInitHandler "sub { srand }"
Thanks!
Okay. Without ChildInitHandler:
$ perl collision.pl
- Round 1
Hash: 1f9694dc6da55ffbc47cabc4c85fa9d8
- Round 2
Collision: 1f9694dc6da55ffbc47cabc4c85fa9d8 after 2
- Round 3
Collision: 1f9694dc6da55ffbc47cabc4c85fa9d8 after 3
- Round 4
Collision: 1f9694dc6da55ffbc47cabc4c85fa9d8 after 4
- Round 5
Hash: c734f979ab7add90259753c02d39e7e8
- Round 6
Collision: 1f9694dc6da55ffbc47cabc4c85fa9d8 after 6
- Round 7
Hash: a8817ac1cc1756afb92a8b2643532152
- Round 8
Hash: 81556e78c3e26c46760731d3e18914d4
- Round 9
Collision: c734f979ab7add90259753c02d39e7e8 after 9
With ChildInitHandler:
$ perl collision.pl
- Round 1
Hash: ed2332099a91ca13b7ed4d3f791e348f
- Round 2
Hash: 26fa18b028fed820e0727b9667a9c253
- Round 3
Hash: 4704764bacfa4a4506850dbc8653d651
- Round 4
Hash: b66794462819f6b7754ace371e68aa97
- Round 5
Collision: b66794462819f6b7754ace371e68aa97 after 5
- Round 6
Hash: b8d5fce6b157743a9263c1376d344877
- Round 7
Hash: 7b9db29c5f584bbfb77e64e16155db5d
- Round 8
Collision: 7b9db29c5f584bbfb77e64e16155db5d after 8
- Round 9
Hash: 3a3ccb8df084673e471d7cf4efa0bb93
- Round 10
Hash: 1ad65cd48178051234029d4e652407d0
Looks like 50% less collisions, but still too much ;-)