kinow commented on a change in pull request #459: (doc): Document public
RandomStringUtils exploit
URL: https://github.com/apache/commons-lang/pull/459#discussion_r324843543
##########
File path: src/main/java/org/apache/commons/lang3/RandomStringUtils.java
##########
@@ -34,7 +34,11 @@
* RandomStringGenerator</a> instead.</p>
*
* <p>Caveat: Instances of {@link Random}, upon which the implementation of
this
- * class relies, are not cryptographically secure.</p>
+ * class relies, are <b>not cryptographically secure</b>.
+ * Do not use this classes' default implementation of {@link Random} in
security sensitive locations,
+ * for example password reset key generation, as all future values can be
computed as proven by
+ * <a
href="https://medium.com/@alex91ar/the-java-soothsayer-a-practical-application-for-insecure-randomness-c67b0cd148cd?source=friends_link&sk=3db1c41cc81a58f70ed05a7315191385";>
Review comment:
I agree with others on the issue with a link to medium, but I don't care
much about monetization.
If we have a link to CVE, a paper published in some journal, a standard
documentation from some site like ietf, or a wikipedia page, it would be
preferrable IMHO.
If this is the only place with an explanation, or the best link to
understand the issue, then we need to use a web.archive.org link to prevent it
from disappearing after some years.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
