Session identifiers are wrong and that might cause malicious attacks
Bug #1578651 reported by
Alfonso Sanchez-Beato
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| aethercast |
New
|
Undecided
|
Unassigned | ||
Bug Description
We are using a sequence that starts with session_id=1 as session identifiers. Should be random and >= 8 characters according to RTPS specification [1]:
3.4 Session Identifiers
Session identifiers are opaque strings of arbitrary length. Linear
white space must be URL-escaped. A session identifier MUST be chosen
randomly and MUST be at least eight octets long to make guessing it
more difficult. (See Section 16.)
session-id = 1*( ALPHA | DIGIT | safe )
To post a comment you must log in.
