Opened 5 years ago
Closed 5 years ago
#6293 closed defect (bug) (fixed)
phpass should use uniqid(), not getmypid()
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | 2.5 |
| Component: | General | Version: | 2.5 |
| Severity: | blocker | Keywords: | has-patch |
| Cc: | westi |
Description
class-phpass.php uses this code to generate a random string:
$this->random_state = microtime() . getmypid();
It shouldn't, because (a) it reinvents the uniqid() wheel, and (b) getmypid() is evidently disabled on some locked-down PHP installs:
http://wordpress.org/support/topic/162121?replies=2
The patch changes it to call uniqid() instead.
Attachments (1)
Change History (10)
tellyworth — 5 years ago
comment:1
Viper007Bond — 5 years ago
- Severity changed from normal to blocker
- Version set to 2.5
comment:2
Viper007Bond — 5 years ago
Oh, also:
Warning
Process IDs are not unique, thus they are a weak entropy source. We recommend against relying on pids in security-dependent contexts.
phpass is a 3rd party class and I believe the developers prefer not to modify them in most cases.
Cases where its a Security issue or It doesnt work properly can be classified as bugs, AFAIK, Its ok to fix bugs in the version WordPress uses, and submit the patches up stream for consideration, or a better fix.
comment:4
Viper007Bond — 5 years ago
Yeah, I know. :)
Solar Designer sent me a detailed reply, which I'll try to summarize here. In general, getmypid() is sufficient for this fallback code path even if disabled, but if we want to address the warning we can use this:
$this->random_state = microtime() . (function_exists("getmypid") ? getmypid() : "") . uniqid(rand(), TRUE);
This won't go into upstream phpass for awhile due to it's PHP3 dependency, but we can add it if we like.
phpass is a 3rd party class and I believe the developers prefer not to modify them in most cases.
This may be a special case though as it's a blocker.