[webkit-dev] Blacklisting some sqlite functions

Adam Barth abarth at webkit.org
Thu Jan 7 11:13:28 PST 2010


On Thu, Jan 7, 2010 at 10:02 AM, Brady Eidson <beidson at apple.com> wrote:
> Are random() and randomblob() security risks?  Could you point us to a
> source explaining this?

They're fairly low risk, but you tend to leak a surprising amount of
information when you expose non-cryptographic random sources to
attackers.  We've already gotten a rather detailed report of the leaks
from Math.random, for example.  If these functions are useful, we can
keep them, but it does cost some amount of attack surface.

Adam


More information about the webkit-dev mailing list