Keep in mind that this is an security issue that affects virtually every PHP webapplication that uses libcurl to call RESTfull webservices, and passes through user provided input.

>PantsAdministrator is not very clever about curl, so it spawns it in its own process which initializes Curl_srand just before calling the curl_easy post mechanism.

That is pretty standard in shared hosting environements, where PHP is started as CGI script for each request, so it can run under the privileges of the username of the webhosting customer.
Webservers like Apache also sends the server's date & time with every request to the website visitor. So the end-user knows exactly what boundary is going to be used.

>I suggest we make sure this is properly documented to not surprise users.

Documented instead of fixed?
What do you recommend webapplications using libcurl do?
Filter out every line of user input that starts with "--" as it could be a boundary?
Remember that users of libcurl do not know which boundary libcurl is going to use. That is an implementation detail inside libcurl.

---
** [bugs:#1251] Form boundary string should be truly random**
**Status:** open
**Created:** Mon Jun 24, 2013 11:24 AM UTC by Floris
**Last Updated:** Mon Jun 24, 2013 02:40 PM UTC
**Owner:** Daniel Stenberg
The use of predicatable pseudo-random numbers to generate the multipart/form boundary can lead to security issues in software using libcurl.
See: http://localhost.re/p/solusvm-whmcs-module-316-vulnerability
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.