Skip to content

Generate multipart boundary using SecureRandom [SPR-16635] #21176

Closed
@spring-projects-issues

Description

@spring-projects-issues

Rossen Stoyanchev opened SPR-16635 and commented

From RFC 2046:

The boundary delimiter MUST NOT appear inside any of the encapsulated parts,
on a line by itself or as the prefix of any line.  This implies that it is
crucial that the composing agent be able to choose and specify a
unique boundary parameter value that does not contain the boundary
parameter value of an enclosing multipart as a prefix.

Currently Random is used to generate the boundary which guarantees the above will not occur by accident. In certain scenarios, based on an advanced and esoteric type of attack, it is theoretically possible for the boundary to be guessed and intermixed with content received as input from an outside source. We should switch to using SecureRandom to completely eliminate that possibility.

Note however that the use of SecureRandom also introduces the possibility for lack of entropy depending on how the JVM is configured. This is a more general issue, however, not specific to the Spring Framework, but we need to provide guidance in the docs.


Affects: 4.3.14

Issue Links:

Referenced from: commits f6ea740, e02ff3a, d007c25, ab2410c

Backported to: 4.3.15

Metadata

Metadata

Assignees

Labels

in: webIssues in web modules (web, webmvc, webflux, websocket)status: backportedAn issue that has been backported to maintenance branchestype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions