#35970 closed defect (bug) (invalid)
Compat random_int issue with hanging mcrypt iv generator when urandom unreadable
Reported by: | phil1984 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 4.4.2 |
Component: | External Libraries | Keywords: | |
Focuses: | Cc: |
Description
I noticed that after upgrading to the latest wordpress, I can no longer login. This is arguably a server configuration problem, but in my opinion it could be handled better in the wordpress compat code.
When /dev/urandom is not in the open_basedir it is not readable by PHP. When the random_bytes compat runs, it selects the mcrypt option. This causes the line
mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM);
to hang at 100% CPU with DSO php, probably because mcrypt is waiting for the random bytes that never come. Since mcrypt depends on reading from /dev/urandom it shouldn't be selected as a fallback in random_compat/random.php
In fact, if /dev/urandom is not readable it may cause problems with the other compat fallbacks like openssl.
Change History (3)
#2
@
9 years ago
- Resolution set to invalid
- Status changed from new to closed
Thanks for the link @ocean90 My appologies. Then this is not a wordpress bug. I will take it up with the random_compat team.
I can see the change, and I actually think it will make things worse. That restriction would force more environments on to the mcrypt fallback. The problem is that if urandom is not readable, there is no point in falling back to mcrypt because that eventually uses urandom too.
Hello @phil1984, welcome to Trac!
In #35665 we have updated the random_compat library to version 1.1.6 which includes a change for that: https://github.com/paragonie/random_compat/blob/master/CHANGELOG.md#version-116---2015-01-29
Can you test the current beta of WordPress 4.5 and report back if this solves your issue?