Thank you, Daniel. I applied your patch to my local git repository and it solves the problem we were having (predictability of the form boundary). I agree that the libcurl users should be sanitizing their inputs, however, there is no way to tell what form boundary libcurl may use and test for that specifically. It may be beneficial to share that information with the host program somehow, though I realize it changes with attachment depth. This patch is sufficient.

---
** [bugs:#1251] Form boundary string should be truly random**
**Status:** open
**Created:** Mon Jun 24, 2013 11:24 AM UTC by Floris
**Last Updated:** Mon Jun 24, 2013 08:31 PM UTC
**Owner:** Daniel Stenberg
The use of predicatable pseudo-random numbers to generate the multipart/form boundary can lead to security issues in software using libcurl.
See: http://localhost.re/p/solusvm-whmcs-module-316-vulnerability
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.