WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 7 years ago

#19571 closed defect (bug) (fixed)

wp_rand() can return a value outside the requested range

Reported by: mdawaffe Owned by: westi
Milestone: 3.5 Priority: normal
Severity: normal Version: 3.3
Component: General Keywords: has-patch health-check
Focuses: Cc:

Description

On some 32bit hosts, the Entropy builds of PHP truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them as floats.

var_dump( 3000000000 === 2147483647 ); // true

This can cause wp_rand() to return a value outside the requested range. That unexpected value in turn breaks wp_generate_password(), which can have security ramifications.

The entropy builds of PHP can be downloaded from:

Steps to reproduce:

  1. Find an old 32bit Mac.
  2. curl -O 'http://taracque.hu/downloads/Entropy_PHP_5-3-8-0.zip'
  3. unzip Entropy_PHP_5-3-8-0.zip
  4. sudo installer -pkg Entropy_PHP_5-3-8-0.pkg -target "/"
  5. /usr/local/php5/bin/php -r 'var_dump( 3000000000 === 2147483647 );'

The attached patch to wp_rand() checks for the problem and creates the problematic large integer as a string cast to a float rather than as an int (which, on working PHP builds, would be implicitly cast to a float).

The patch is also implemented as a plugin: http://wordpress.org/extend/plugins/wp-rand-for-entropy-php/

Attachments (1)

19571.diff (1.3 KB) - added by mdawaffe 8 years ago.
oops - forgot to attach the file :)

Download all attachments as: .zip

Change History (6)

#1 @mdawaffe
8 years ago

PS: Installing entropy edits the apache configs that come with OS X.

@mdawaffe
8 years ago

oops - forgot to attach the file :)

#2 @matt
8 years ago

  • Keywords health-check added

Adding health-check tag as this would be useful to include as a test in our health check screen.

#3 @SergeyBiryukov
8 years ago

Minor typo in the patch: "Etropy" → "Entropy"

#4 @westi
7 years ago

  • Milestone changed from Awaiting Review to 3.5

#5 @westi
7 years ago

  • Owner set to westi
  • Resolution set to fixed
  • Status changed from new to closed

In [21685]:

Make sure that we always generate random numbers correctly even if the PHP build is slightly broken and truncates large integers.

Fixes #19571 props mdawaffe.

Note: See TracTickets for help on using tickets.