apache 2.x + php 5.x http post temporary file name
non-randomness
Jeremy Chadwick
koitsu at FreeBSD.org
Mon Nov 12 19:58:57 PST 2007
On Mon, Nov 12, 2007 at 09:21:56PM +0100, Erik Stian Tefre wrote:
> There seems to be a bug (or feature?) somewhere that limits the number of
> unique temporary file names used when storing temporary files that are
> uploaded by posting a form. Looking through my webserver logs of 110000
> file uploads, I find no more than 495 unique temporary file names which are
> being reused again and again.
> (File name example: /var/tmp/phpzzJuIt)
>
> I think PHP is supposed to use mkstemp(). From the mkstemp(3) manual:
> "The number of unique file names mktemp() can return depends on the number
> of `Xs' provided; six `Xs' will result in mktemp() selecting one of
> 56800235584 (62 ** 6) possible temporary file names."
>
> PHP uses 6 Xs. This makes the low number of observed unique file names
> (495) a bit disappointing.
It sounds as if the limitation in range (56800235584 vs. 495) may be due
to what's considered a permittable character in a filename. I'm betting
the function ANDs the per-byte results, requiring them to be within
[0-9A-Za-z]. That's (26+26+10)^6.
Based on that, it sounds as if there's no "easy" way to increase the
entropy.
I'm not really sure I'd use gettimeofday() for extending this, though.
If I remember correctly (someone please correct me if I'm wrong):
* The clock is not a good source of randomness because it's predictable
(although in this case it's not the sole source of entropy)
* gettimeofday() is an expensive call due to communication with the RTC.
I'm left believing that adding more X's to the path passed to mkstemp()
would be a better solution, and a more compatible one.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-ports
mailing list