vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 22:30:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use PHP7's random_int() CSPRNG functionality in wp_rand() with a fallback to the random_compat library for PHP 5.x.

Browse Source 
`random_compat` offers a set of compatible functions for older versions of PHP, filling in the gap by using other PHP extensions when available.
We still include our existing `wp_rand()` functionality as a fallback for when no proper CSPRNG exists on the system.

Props sarciszewski
See #28633


git-svn-id: https://develop.svn.wordpress.org/trunk@34922 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Dion Hulse
2015-10-08 00:01:26 +00:00
parent 1fc41894d2
commit ffb7ae1389
10 changed files with 854 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/wp-includes/pluggable.php
View File

@@ -2132,9 +2132,11 @@ if ( !function_exists('wp_rand') ) :
* Generates a random number
*
* @since 2.6.2
* @since 4.4 Uses PHP7 random_int() or the random_compat library if avaialble.
*
* @global string $rnd_value
* @staticvar string $seed
* @staticvar bool $external_rand_source_available
*
* @param int $min Lower limit for the generated number
* @param int $max Upper limit for the generated number
@@ -2143,6 +2145,34 @@ if ( !function_exists('wp_rand') ) :
function wp_rand( $min = 0, $max = 0 ) {
global $rnd_value;
// Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
$max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
// We only handle Ints, floats are truncated to their integer value.
$min = (int) $min;
$max = (int) $max;
// Use PHP's CSPRNG, or a compatible method
static $use_random_int_functionality = true;
if ( $use_random_int_functionality ) {
try {
$_max = ( 0 != $max ) ? $max : $max_random_number;
// wp_rand() can accept arguements in either order, PHP cannot.
$_max = max( $min, $_max );
$_min = min( $min, $_max );
$val = random_int( $_min, $_max );
if ( false !== $val ) {
return absint( $val );
} else {
$use_random_int_functionality = false;
}
} catch ( Throwable $t ) {
$use_random_int_functionality = false;
} catch ( Exception $e ) {
$use_random_int_functionality = false;
}
}
// Reset $rnd_value after 14 uses
// 32(md5) + 40(sha1) + 40(sha1) / 8 = 14 random numbers from $rnd_value
if ( strlen($rnd_value) < 8 ) {
@@ -2167,9 +2197,6 @@ function wp_rand( $min = 0, $max = 0 ) {
$value = abs(hexdec($value));
// Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
$max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
// Reduce the value to be within the min - max range
if ( $max != 0 )
$value = $min + ( $max - $min + 1 ) * $value / ( $max_random_number + 1 );