#35290 closed defect (bug) (fixed)
Use CSPRNG to generate salt instead of API, if possible.
Reported by: | sarciszewski | Owned by: | dd32 |
---|---|---|---|
Milestone: | 4.5 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Security | Keywords: | has-patch commit |
Focuses: | administration | Cc: |
Description
Since we have random_bytes()
as of WordPress 4.4 (even on PHP 5.2.x), I propose something like this:
try { $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_ []{}<>~`+=,.;:/?|'; $maxl = strlen($chars) - 1; for ( $i = 0; $i < 8; $i++ ) { $key = ''; for ( $j = 0; $j < 64; $j++ ) { $key .= $chars[random_int(0, $max)]; } $secret_keys[] = $key; } } catch (Exception $ex) { $secret_keys = wp_remote_get( 'https://api.wordpress.org/secret-key/1.1/salt/' ); }
Instead of just using wp_generate_password(64, true true)
, this prioritizes the CSPRNG and falls back to the API approach if it's not available (since wp_generate_password()
falls back silently if random_compat throws an Exception
).
Attachments (2)
Change History (10)
@
9 years ago
Attempt at using CSPRNG falling back to API (if enabled) and further falling back to original wp_generate_password()
#4
@
9 years ago
@diddledan Thanks for the patch! A few things though
- There's a typo,
$maxl
instead of$max
- In general we avoid array-syntax access to arrays in favour of
substr()
Note: See
TracTickets for help on using
tickets.
This seems like a good extension of the random_bytes work done in 4.4