benweissmann commented on code in PR #625:
URL:
https://github.com/apache/httpcomponents-client/pull/625#discussion_r2001139283
##########
httpclient5/src/main/java/org/apache/hc/client5/http/entity/mime/MultipartEntityBuilder.java:
##########
@@ -234,14 +225,12 @@ public MultipartEntityBuilder addBinaryBody(final String
name, final InputStream
}
/**
- * Returns the fixed default boundary value.
- */
- private String getFixedBoundary() {
- return BOUNDARY_PREFIX + "7k9p2m4x8n5j3q6t1r0vwyzabcdefghi";
- }
-
- /**
- * Generates a random boundary using UUID.
+ * Generates a random boundary using UUID. The UUID is a v4 random UUID
generated from a cryptographically-secure
+ * random source.
+ * <p>
+ * A cryptographically-secure random number source is used to avoid
security issues similar to
Review Comment:
Let me know what you think of the revised note -- I've removed the reference
to the CVE, but I think it's important to note the source (and randomness
guarantees) of the UUID for two reasons:
- As you've discussed, it's the responsibility of the caller to enforce any
security model for their application, so we should document the source of the
value here so they can make those decisions.
- So future contributors know that the choice of randomness here was
intentional, and to consider that if there's any future changes to the default
boundary value selection
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
