CF-3792283
Title
Calling Randomize() with the SHA1PRNG does not create "repeatable number patterns".
Description
In CF10, the IBMSecureRandom algorithm also has the same issue. Only the CFMX_COMPAT algorithm gives "repeatable number patterns".
Comment by External U.
07/21/2014 11:01:44 GMT
Attn @Ryall: I've updated the docs to reflect a) there being a bug; b) using an example that is cruft-free and *actually works*. -- Adam
Comment by External U.
07/22/2014 02:22:24 GMT
For reference, the original example with the bug before Adam updated the docs can be found on http://help.adobe.com/livedocs/coldfusion/8/htmldocs/help.html?content=functions_m-r_23.html . This example in these older docs still has the bug when run under CF10.
Comment by External U.
07/22/2014 08:55:23 GMT
The documented behavior of randomize is only applicable to CFMX_COMPAT and non-secure PRNG algorithms. A secure random generation algorithm would not repeat the sequence as the randomness depends on lot of things other than the seed. This is not a bug.
Comment by Rupesh K.
08/04/2014 11:55:34 GMT
Rupesh, can you pls clarify two things: a) based on what you say below... how come this all USED TO work as described on CFMX7, but now doesn't on CF10+? b) how is it "fixed" if there was nothing to fix?
Comment by External U.
02/12/2015 15:14:09 GMT
(sorry, meant to add "cheers" to that before pressing send. It was a request, not a demand ;-)
Comment by External U.
02/12/2015 15:17:41 GMT
I was earlier wrong. According to Wikipedia “A PRNG can be started from an arbitrary initial state using a seed state. It will always produce the same sequence when initialized with that state.” Since SecureRandom object creation is quite expensive, we started caching its instance from CF 9 onwards and that caused it to break. The fix is not to use the cached object for Randomize(). The fix would be available in the CF11 update 5 and CF10 update 16.
Comment by Rupesh K.
02/12/2015 23:18:10 GMT
Oh right. I think I had that discussion with someone else on a different ticket, too. When you change direction on a ticket, can you PLEASE update the ticket to explain it. I seem to spend a lot of time going "can you pls clarify what's going on here?", because you lot aren't great at keeping us up to date with how you're handling a ticket. Cheers. -- Adam
Comment by External U.
02/12/2015 23:53:52 GMT
The fix for this bug is available in the pre-release build of ColdFusion 11 Update 5 and ColdFusion 10 Update 16
Comment by CFwatson U.
02/20/2015 09:26:27 GMT
Updated content here: https://wikidocs.adobe.com/wiki/display/coldfusionen/Randomize
Comment by Jacob J.
03/30/2015 06:48:36 GMT
Hi Rupesh, In CF11 Update 5 (build 11,0,05,293506), randomize(12345, "SHA1PRNG") does not ensure repeatable number patterns even w/ JVM arg -Dcoldfusion.disablejsafe=false on developer edition. Should it? BTW, that documented argument seems wrong for "disabling JSAFE". It seems the argument to disable JSAFE should be -Dcoldfusion.disablejsafe=true. However, I tried that as well and still no repeatable number pattern. Thanks!, -Aaron
Comment by External U.
11/20/2015 06:16:35 GMT
Hi Aaron, Yes, the value of the flag should be true. I have updated the documentation. I have tried the below example having the jsafe flag in place. <cfset mySeedInt = 12345> <cfset Randomize(mySeedInt, "SHA1PRNG")> <cfoutput> rand(): #rand("SHA1PRNG")#<br> rand(): #rand("SHA1PRNG")#<br> rand(): #rand("SHA1PRNG")#<br> </cfoutput> And each run giving me the same (repeatable with the given seed) pattern. Please provide the example you are trying. Thanks, Pavan.
Comment by S V.
11/20/2015 06:50:59 GMT
Hi Pavan, Sorry, my code was wrong. I had rand() instead of rand("SHA1PRNG"). Basically, I hadn't checked the rand() doc for proper syntax. =P I see your code runs fine on CF11U5 w/ -Dcoldfusion.disablejsafe=true. Thanks for updating the JVM arg in the doc, that was fast! Thanks, -Aaron
Comment by External U.
11/20/2015 07:51:46 GMT
Status:
Closed
Details
Date Created:
07/21/2014
Component:
Language
Version:
HF5
Failure Type
Found In Build:
Final
Fixed In Build:
CF11 Update5,CF10 Update16
Priority:
Major
Frequency:
All users will encounter
System:
Win 2008 Server R2 64 bit
Browser:
Resolution
Fixed
Reason Code:
Votes:
2
Vote Comments:
Even the example provided in the documentation does not work.
Comment by External U.
07/21/2014 11:33:05 GMT
It's a regression so should be fixed. Doesn't look like you guys have appropriate unit/regression test coverage here... theer's no way this should have got past you. NB: neither rand() nor randRange() respect the randomize() seeding. -- Adam
Comment by External U.
07/22/2014 01:43:04 GMT