A couple of suggestions on the patch. There's a typo in the comments (acess). And maybe it's lame to even try, but in the #ifndef have_curlssl_random case, you can get a few more bits of randomness by adding getpid() to time() (and clock_gettime() when available, if you want to get fancy). Since with this patch the form generation uses a cryptographically-secure random number generator when available, by extending the multipart line generation code to call Curl_rand() twice and use both numbers, you get a 64-bit cryptographically-strong multipart separation line, which should solve this problem for good.

---
** [bugs:#1251] Form boundary string should be truly random**
**Status:** open
**Created:** Mon Jun 24, 2013 11:24 AM UTC by Floris
**Last Updated:** Mon Jun 24, 2013 09:24 PM UTC
**Owner:** Daniel Stenberg
The use of predicatable pseudo-random numbers to generate the multipart/form boundary can lead to security issues in software using libcurl.
See: http://localhost.re/p/solusvm-whmcs-module-316-vulnerability
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.