I can't think of any reason to strip off the bottom 8 bits of each random number when generating the multipart line. More randomness is better, after all, and those extra bits are free! In fact, some of those redundant dashes could be replaced with another 32 bits of entropy with little effort.

On a side note, the previous use of a non cryptographically-secure PRNG in Curl_sasl_create_digest_md5_message gives me a bad feeling. I wonder what security impact that had?

---
** [bugs:#1251] Form boundary string should be truly random**
**Status:** open
**Created:** Mon Jun 24, 2013 11:24 AM UTC by Floris
**Last Updated:** Mon Jun 24, 2013 10:39 PM UTC
**Owner:** Daniel Stenberg
The use of predicatable pseudo-random numbers to generate the multipart/form boundary can lead to security issues in software using libcurl.
See: http://localhost.re/p/solusvm-whmcs-module-316-vulnerability
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.