WordPress.org
Get WordPress

Make WordPress Core

Ticket #28633: 28633.patch

File 28633.patch, 5.5 KB (added by sarciszewski, 10 years ago)

Bugfix

  • src/wp-admin/includes/ms.php 

    From 7734b4ac9fb028db0c25b3f2dfb72958593ab453 Mon Sep 17 00:00:00 2001
From: Scott Arciszewski <scott@arciszewski.me>
Date: Mon, 17 Nov 2014 19:59:10 -0500
Subject: [PATCH] Expose a CSPRNG via wp_secure_rand() and use it

---
 src/wp-admin/includes/ms.php     |  4 ++--
 src/wp-admin/includes/schema.php |  2 +-
 src/wp-includes/functions.php    |  4 ++--
 src/wp-includes/ms-functions.php |  4 ++--
 src/wp-includes/pluggable.php    | 40 +++++++++++++++++++++++++++++++++++++++-
 5 files changed, 46 insertions(+), 8 deletions(-)

diff --git a/src/wp-admin/includes/ms.php b/src/wp-admin/includes/ms.php
index d2201d3..1f5721e 100644
    a b function update_option_new_admin_email( $old_value, $value ) { 
    215215        if ( $value == get_option( 'admin_email' ) || !is_email( $value ) )
    216216                return;
    217217
    218         $hash = md5( $value. time() .mt_rand() );
     218        $hash = md5( wp_secure_rand(16) . $value. time() .mt_rand() );
    219219        $new_admin_email = array(
    220220                'hash' => $hash,
    221221                'newemail' => $value
    function send_confirmation_on_profile_email() { 
    285285                        return;
    286286                }
    287287
    288                 $hash = md5( $_POST['email'] . time() . mt_rand() );
     288                $hash = md5( wp_secure_rand(16) . $_POST['email'] . time() . mt_rand() );
    289289                $new_user_email = array(
    290290                                'hash' => $hash,
    291291                                'newemail' => $_POST['email']

  • src/wp-admin/includes/schema.php 

    diff --git a/src/wp-admin/includes/schema.php b/src/wp-admin/includes/schema.php
index 2cfe9e0..6270ae8 100644
    a b We hope you enjoy your new site. Thanks! 
    10161016
    10171017                $vhost_ok = false;
    10181018                $errstr = '';
    1019                 $hostname = substr( md5( time() ), 0, 6 ) . '.' . $domain; // Very random hostname!
     1019                $hostname = bin2hex( wp_secure_rand(3) ) . '.' . $domain; // Very random hostname!
    10201020                $page = wp_remote_get( 'http://' . $hostname, array( 'timeout' => 5, 'httpversion' => '1.1' ) );
    10211021                if ( is_wp_error( $page ) )
    10221022                        $errstr = $page->get_error_message();

  • src/wp-includes/functions.php 

    diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php
index b77d59e..23d0993 100644
    a b function wp_is_writable( $path ) { 
    16681668function win_is_writable( $path ) {
    16691669
    16701670        if ( $path[strlen( $path ) - 1] == '/' ) // if it looks like a directory, check a random file within the directory
    1671                 return win_is_writable( $path . uniqid( mt_rand() ) . '.tmp');
     1671                return win_is_writable( $path . uniqid( bin2hex(wp_secure_rand(16)) ) . '.tmp');
    16721672        else if ( is_dir( $path ) ) // If it's a directory (and not a file) check a random file within the directory
    1673                 return win_is_writable( $path . '/' . uniqid( mt_rand() ) . '.tmp' );
     1673                return win_is_writable( $path . '/' . uniqid( bin2hex(wp_secure_rand(16)) ) . '.tmp' );
    16741674
    16751675        // check tmp file for read/write capabilities
    16761676        $should_delete_tmp_file = !file_exists( $path );

  • src/wp-includes/ms-functions.php 

    diff --git a/src/wp-includes/ms-functions.php b/src/wp-includes/ms-functions.php
index b0cd44c..36331cf 100644
    a b function wpmu_validate_blog_signup( $blogname, $blog_title, $user = '' ) { 
    713713function wpmu_signup_blog( $domain, $path, $title, $user, $user_email, $meta = array() )  {
    714714        global $wpdb;
    715715
    716         $key = substr( md5( time() . rand() . $domain ), 0, 16 );
     716        $key = substr( md5( time() . wp_secure_rand(8) . $domain ), 0, 16 );
    717717        $meta = serialize($meta);
    718718
    719719        $wpdb->insert( $wpdb->signups, array(
    function wpmu_signup_user( $user, $user_email, $meta = array() ) { 
    748748        // Format data
    749749        $user = preg_replace( '/\s+/', '', sanitize_user( $user, true ) );
    750750        $user_email = sanitize_email( $user_email );
    751         $key = substr( md5( time() . rand() . $user_email ), 0, 16 );
     751        $key = substr( md5( time() . wp_secure_rand(8) . $user_email ), 0, 16 );
    752752        $meta = serialize($meta);
    753753
    754754        $wpdb->insert( $wpdb->signups, array(

  • src/wp-includes/pluggable.php 

    diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
index 22c1935..21dc246 100644
    a b function wp_generate_password( $length = 12, $special_chars = true, $extra_speci 
    20042004}
    20052005endif;
    20062006
     2007if ( !function_exists('wp_secure_rand') ) :
     2008/**
     2009 * Generate a cryptographically secure random string
     2010 * @ref http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
     2011 *
     2012 * @param int $bytes - how many bytes do we want?
     2013 */
     2014
     2015function wp_secure_rand($bytes = 32) {
     2016        $buf = '';
     2017        // Use /dev/urandom over all other methods
     2018        if (is_readable('/dev/urandom')) {
     2019                $fp = fopen('/dev/urandom', 'rb');
     2020                if ($fp !== false) {
     2021                        $buf = fread($fp, $bytes);
     2022                        fclose($fp);
     2023                        if ($buf !== FALSE) {
     2024                                return $buf;
     2025                        }
     2026                }
     2027        }
     2028        if (function_exists('mcrypt_create_iv')) {
     2029                $buf = mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM);
     2030                if($buf !== FALSE) {
     2031                        return $buf;
     2032                }
     2033        }
     2034        if (function_exists('openssl_random_pseudo_bytes')) {
     2035                $strong = false;
     2036                $buf = openssl_random_pseudo_bytes($bytes, $strong);
     2037                if ($strong) {
     2038                        return $buf;
     2039                }
     2040        }
     2041}
     2042
     2043endif;
     2044
    20072045if ( !function_exists('wp_rand') ) :
    20082046/**
    20092047 * Generates a random number
    function wp_rand( $min = 0, $max = 0 ) { 
    20242062                        static $seed = '';
    20252063                else
    20262064                        $seed = get_transient('random_seed');
    2027                 $rnd_value = md5( uniqid(microtime() . mt_rand(), true ) . $seed );
     2065                $rnd_value = md5( wp_secure_rand(16) . uniqid(microtime() . mt_rand(), true ) . $seed );
    20282066                $rnd_value .= sha1($rnd_value);
    20292067                $rnd_value .= sha1($rnd_value . $seed);
    20302068                $seed = md5($seed . $rnd_value);