On Mon, Nov 12, 2007 at 09:21:56PM +0100, Erik Stian Tefre wrote: > There seems to be a bug (or feature?) somewhere that limits the number of > unique temporary file names used when storing temporary files that are > uploaded by posting a form. Looking through my webserver logs of 110000 > file uploads, I find no more than 495 unique temporary file names which are > being reused again and again. > (File name example: /var/tmp/phpzzJuIt) > > I think PHP is supposed to use mkstemp(). From the mkstemp(3) manual: > "The number of unique file names mktemp() can return depends on the number > of `Xs' provided; six `Xs' will result in mktemp() selecting one of > 56800235584 (62 ** 6) possible temporary file names." > > PHP uses 6 Xs. This makes the low number of observed unique file names > (495) a bit disappointing.
It sounds as if the limitation in range (56800235584 vs. 495) may be due to what's considered a permittable character in a filename. I'm betting the function ANDs the per-byte results, requiring them to be within [0-9A-Za-z]. That's (26+26+10)^6. Based on that, it sounds as if there's no "easy" way to increase the entropy. I'm not really sure I'd use gettimeofday() for extending this, though. If I remember correctly (someone please correct me if I'm wrong): * The clock is not a good source of randomness because it's predictable (although in this case it's not the sole source of entropy) * gettimeofday() is an expensive call due to communication with the RTC. I'm left believing that adding more X's to the path passed to mkstemp() would be a better solution, and a more compatible one. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
