[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Issues regarding ruby-rack/CVE-2019-16782

Ola Lundqvist <ola@inguza.com> writes:

> Precisely. This is why I was asking about the length of the session id
> used. With the length we can estimate how many times an attacker my try to
> find all possible values.
> If this is small enough (and the attacker is close enough) it can be
> exploited. But if the session key is really large, then there is no way
> that this can be done in practice even with ears of tries.

If I understand this code correctly, by reading it.


The default size of a sid is intended 128 bits or 32 hex digits long.

However, this value is created by SecureRandom.hex() - see
which actually takes a parameter with number of bytes, not number of
digits. So when we pass this function 32, we actually get 32 bytes (=256
bits), or 64 digits.

irb(main):007:0> p SecureRandom.hex(1) 
=> "82"
irb(main):006:0> p SecureRandom.hex(2) 
=> "5fad"
Brian May <bam@debian.org>

Reply to: