WordPress.org

Make WordPress Core

Changeset 34922


Ignore:
Timestamp:
10/08/2015 12:01:26 AM (4 years ago)
Author:
dd32
Message:

Use PHP7's random_int() CSPRNG functionality in wp_rand() with a fallback to the random_compat library for PHP 5.x.
random_compat offers a set of compatible functions for older versions of PHP, filling in the gap by using other PHP extensions when available.
We still include our existing wp_rand() functionality as a fallback for when no proper CSPRNG exists on the system.

Props sarciszewski
See #28633

Location:
trunk/src/wp-includes
Files:
9 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/compat.php

    r34845 r34922  
    333333    }
    334334}
     335
     336// random_int was introduced in PHP 7.0
     337if ( ! function_exists( 'random_int' ) ) {
     338    require ABSPATH . WPINC . '/random_compat/random.php';
     339}
  • trunk/src/wp-includes/pluggable.php

    r34912 r34922  
    21332133 *
    21342134 * @since 2.6.2
     2135 * @since 4.4 Uses PHP7 random_int() or the random_compat library if avaialble.
    21352136 *
    21362137 * @global string $rnd_value
    21372138 * @staticvar string $seed
     2139 * @staticvar bool $external_rand_source_available
    21382140 *
    21392141 * @param int $min Lower limit for the generated number
     
    21432145function wp_rand( $min = 0, $max = 0 ) {
    21442146    global $rnd_value;
     2147
     2148    // Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
     2149    $max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
     2150
     2151    // We only handle Ints, floats are truncated to their integer value.
     2152    $min = (int) $min;
     2153    $max = (int) $max;
     2154
     2155    // Use PHP's CSPRNG, or a compatible method
     2156    static $use_random_int_functionality = true;
     2157    if ( $use_random_int_functionality ) {
     2158        try {
     2159            $_max = ( 0 != $max ) ? $max : $max_random_number;
     2160            // wp_rand() can accept arguements in either order, PHP cannot.
     2161            $_max = max( $min, $_max );
     2162            $_min = min( $min, $_max );
     2163            $val = random_int( $_min, $_max );
     2164            if ( false !== $val ) {
     2165                return absint( $val );
     2166            } else {
     2167                $use_random_int_functionality = false;
     2168            }
     2169        } catch ( Throwable $t ) {
     2170            $use_random_int_functionality = false;
     2171        } catch ( Exception $e ) {
     2172            $use_random_int_functionality = false;
     2173        }
     2174    }
    21452175
    21462176    // Reset $rnd_value after 14 uses
     
    21672197
    21682198    $value = abs(hexdec($value));
    2169 
    2170     // Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
    2171     $max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
    21722199
    21732200    // Reduce the value to be within the min - max range
Note: See TracChangeset for help on using the changeset viewer.