Make WordPress Core


Ignore:
Timestamp:
10/09/2015 04:27:41 AM (9 years ago)
Author:
dd32
Message:

Use PHP7's random_int() CSPRNG functionality in wp_rand() with a fallback to the random_compat library for PHP 5.x.
random_compat offers a set of compatible functions for older versions of PHP, filling in the gap by using other PHP extensions when available.
We still include our existing wp_rand() functionality as a fallback for when no proper CSPRNG exists on the system.

Take Two, this was previously committed in [34922] but had an issue on PHP 5.2 which sarciszewski has now resolved.

Props sarciszewski
See #28633

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/pluggable.php

    r34947 r34981  
    21392139 *
    21402140 * @since 2.6.2
     2141 * @since 4.4 Uses PHP7 random_int() or the random_compat library if avaialble.
    21412142 *
    21422143 * @global string $rnd_value
    21432144 * @staticvar string $seed
     2145 * @staticvar bool $external_rand_source_available
    21442146 *
    21452147 * @param int $min Lower limit for the generated number
     
    21492151function wp_rand( $min = 0, $max = 0 ) {
    21502152    global $rnd_value;
     2153
     2154    // Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
     2155    $max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
     2156
     2157    // We only handle Ints, floats are truncated to their integer value.
     2158    $min = (int) $min;
     2159    $max = (int) $max;
     2160
     2161    // Use PHP's CSPRNG, or a compatible method
     2162    static $use_random_int_functionality = true;
     2163    if ( $use_random_int_functionality ) {
     2164        try {
     2165            $_max = ( 0 != $max ) ? $max : $max_random_number;
     2166            // wp_rand() can accept arguements in either order, PHP cannot.
     2167            $_max = max( $min, $_max );
     2168            $_min = min( $min, $_max );
     2169            $val = random_int( $_min, $_max );
     2170            if ( false !== $val ) {
     2171                return absint( $val );
     2172            } else {
     2173                $use_random_int_functionality = false;
     2174            }
     2175        } catch ( Throwable $t ) {
     2176            $use_random_int_functionality = false;
     2177        } catch ( Exception $e ) {
     2178            $use_random_int_functionality = false;
     2179        }
     2180    }
    21512181
    21522182    // Reset $rnd_value after 14 uses
     
    21732203
    21742204    $value = abs(hexdec($value));
    2175 
    2176     // Some misconfigured 32bit environments (Entropy PHP, for example) truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats.
    2177     $max_random_number = 3000000000 === 2147483647 ? (float) "4294967295" : 4294967295; // 4294967295 = 0xffffffff
    21782205
    21792206    // Reduce the value to be within the min - max range
Note: See TracChangeset for help on using the changeset viewer.