1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 06:25:03 -05:00
curl/tests/data/test554
Daniel Stenberg 365c5ba395 formpost: better random boundaries
When doing multi-part formposts, libcurl used a pseudo-random value that
was seeded with time(). This turns out to be bad for users who formpost
data that is provided with users who then can guess how the boundary
string will look like and then they can forge a different formpost part
and trick the receiver.

My advice to such implementors is (still even after this change) to not
rely on the boundary strings being cryptographically strong. Fix your
code and logic to not depend on them that much!

I moved the Curl_rand() function into the sslgen.c source file now to be
able to take advantage of the SSL library's random function if it
provides one. If not, try to use the RANDOM_FILE for seeding and as a
last resort keep the old logic, just modified to also add microseconds
which makes it harder to properly guess the exact seed.

The formboundary() function in formdata.c is now using 64 bit entropy
for the boundary and therefore the string of dashes was reduced by 4
letters and there are 16 hex digits following it. The total length is
thus still the same.

Bug: http://curl.haxx.se/bug/view.cgi?id=1251
Reported-by: "Floris"
2013-06-25 09:55:49 +02:00

79 lines
1.7 KiB
Plaintext

<testcase>
#
# Server-side
<reply>
<data mode="text">
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake swsclose
Connection: close
Content-Type: text/html
hello
</data>
</reply>
# Client-side
<client>
<server>
http
</server>
# tool is what to use instead of 'curl'
<tool>
lib554
</tool>
<name>
HTTP multi-part formpost using read callback for the file part
</name>
<command>
http://%HOSTIP:%HTTPPORT/554
</command>
</client>
#
# Verify data after the test has been "shot"
<verify>
<strippart>
s/^--------------------------[a-z0-9]*/------------------------------/
s/boundary=------------------------[a-z0-9]*/boundary=----------------------------/
</strippart>
# Note that the stripping above removes 12 bytes from every occurance of the
# boundary string and since 5 of them are in the body contents, we see
# (5*12) == 60 bytes less
<protocol>
POST /554 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
Content-Length: 732
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------
------------------------------
Content-Disposition: form-data; name="sendfile"; filename="postit2.c"
this is what we post to the silly web server
------------------------------
Content-Disposition: form-data; name="callbackdata"
this is what we post to the silly web server
------------------------------
Content-Disposition: form-data; name="filename"
postit2.c
------------------------------
Content-Disposition: form-data; name="submit"
send
------------------------------
Content-Disposition: form-data; name="somename"; filename="somefile.txt"
Content-Type: application/octet-stream
blah blah
--------------------------------
</protocol>
</verify>
</testcase>