WordPress.org

Make WordPress Core

Opened 21 months ago

Closed 20 months ago

Last modified 19 months ago

#42439 closed defect (bug) (fixed)

Update random_compat external library for PHP 7 linting failure

Reported by: jrdelarosa Owned by: dd32
Milestone: 4.9.2 Priority: normal
Severity: normal Version: 4.9
Component: External Libraries Keywords: fixed-major
Focuses: Cc:

Description

Currently the random_compat library included with WordPress core is the only part that fails against PHP 7 linting. As a tech at WP Engine I've noticed that our customers run into problems when pushing to their remote repositories, so I did a bit of investigation and it looks like the external library included was updated to correct this as of October 2016 as commented here: https://core.trac.wordpress.org/ticket/35665#comment:6

I've created the attached diff and it passes all of the unit tests included with core. I've also verified that it lints correctly via the following command.

for file in $(find . -type f -name "*.php"); do php -l $file; done | grep -v "No syntax errors"

#35665 - Previously updated to version 1.2.1 in ticket #35665

Attachments (1)

42439-random-compat.diff (55.3 KB) - added by jrdelarosa 21 months ago.
Diff submission for ticket # 42439

Download all attachments as: .zip

Change History (16)

@jrdelarosa
21 months ago

Diff submission for ticket # 42439

#1 @jrdelarosa
21 months ago

LIbrary as been updated to most recent version of upstream -- Version 2.0.11

#2 @dd32
21 months ago

Diffing the versions in github looks sane, as does this patch.

It's always been expected that these files would not parse under PHP7, as they're not loaded there. Unfortunately it seems that WPEngine blocks deploying these files, causing issues (IMHO, it's WPE's responsibility to allow them to be deployed).

While I have no issue updating these, as we're so close to the 4.9 release, I'm tempted to leave it until 4.9.1 or 5.0 - even though I don't expect it'll cause any breakage.

Last edited 21 months ago by dd32 (previous) (diff)

#3 @dd32
21 months ago

  • Milestone changed from Awaiting Review to 4.9.1

Okay, lets get this in 4.9.1 - I'll review once 4.9 is out. At the minimum we'll remove the PHP7 parse errors from 4.9.1 if the changes upstream are larger than expected.

#4 @dd32
21 months ago

In 42130:

External Libraries: Update Random_Compat from 1.2.1 to 2.0.11.

Notably this fixes PHP7 parse errors of the files and removes the OpenSSL functionality.
Full Changes: https://github.com/paragonie/random_compat/compare/v1.2.1...v2.0.11

Props jrdelarosa.
See #42439.

#5 @johnbillion
20 months ago

  • Keywords fixed-major added

#6 @johnbillion
20 months ago

  • Milestone changed from 4.9.1 to 4.9.2

#7 @dd32
20 months ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 42344:

Avoid PHP Linting errors in the Random_Compat library under PHP7.
The latest updates to the library are larger than preferred, so instead this modifies the library to lint properly.

Fixes #42439 for 4.9

#8 @Ipstenu
20 months ago

Did a scan to see who was using this. Doesn't look (to me) like anything SHOULD break.

Calling random_int()

67 matching plugins
Matches  Plugin                                       Active installs
=======  ======                                       ===============
      1  miniorange-login-with-eve-online-google-facebook        200+
      1  ilmomasiina-event-manager                                 0+
      1  xcloner-backup-and-restore                           70,000+
      2  kocuj-sitemap                                         2,000+
      2  wp-chatbull                                              60+
      1  next-active-directory-integration                     2,000+
      1  wp-concours                                             300+
      1  advanced-dynamic-pricing-for-woocommerce                  0+
      1  cart-recovery                                           200+
      1  mazen-seo-connector                                      10+
      1  hacklog-remote-image-autosave                         3,000+
      1  rocket24-analytics                                        0+
      1  perfectdashboard                                        900+
      2  pwaplusphp                                            2,000+
      2  testimonial-master                                       50+
      1  better-wp-security                                  800,000+
      1  pay-post-by-sms                                           0+
      1  sunny                                                 1,000+
      1  apocalypse-meow                                       1,000+
      1  fomo-payment-gateway-for-woocommerce                     20+
      2  business-master                                          10+
      2  random-user-ids                                          20+
      1  ing-psp                                                 200+
      2  mansplainer                                               0+
      1  total-security                                        2,000+
      2  automatic-comment-scheduler                              80+
      1  beeketing-for-woocommerce                             3,000+
      2  wp-pgp-encrypted-emails                                 200+
      1  google-maps                                          50,000+
      1  live-weather-station                                  3,000+
      2  quiz-master-next                                     10,000+
      1  woo-payment-highway                                       0+
      1  reservation-engine                                       10+
      2  jekyll-exporter                                         800+
      3  formlift                                                300+
      1  woo-ideal-gateway                                       100+
      4  cidram                                                  200+
      1  s2member                                             30,000+
      1  questionnaire                                           500+
      3  mg-member-control                                         0+
      2  woocommerce-germanized                               30,000+
      1  better-coupon-box                                       200+
      1  civic-sip                                                30+
      1  user-registration                                       700+
      1  custom-tabs-shortcodes                                    0+
      1  translation-connectors                                    0+
      1  look-see-security-scanner                             1,000+
      2  jetpack                                           4,000,000+
      1  sales-pop                                               900+
      1  unc-gallery                                              10+
      1  everest-review-lite                                       0+
      2  quote-master                                          1,000+
      1  salon-booking-system                                  3,000+
      1  frontend-dashboard-custom-post                            0+
     14  math-quiz                                               500+
      1  setka-editor                                          4,000+
      3  wordfence                                         2,000,000+
      1  wp-demo-buddy                                             0+
      1  awesome-support                                       6,000+
      1  erp                                                   4,000+
      1  well-handled                                             60+
      2  woorewards                                               10+
      1  admin-menu                                              300+
      1  axis-subscriptions                                       30+
      1  convertiser-widgets                                      50+
      2  wptimetoread                                              0+
      1  upstream                                                900+

calling random_bytes()

241 matching plugins
Matches  Plugin                                       Active installs
=======  ======                                       ===============
      5  wp-rekogni                                                0+
      2  wp-native-php-sessions                               10,000+
      1  eduadmin-booking                                         10+
      2  miniorange-login-with-eve-online-google-facebook        200+
      1  wpx-maintenance-pro-light                                20+
      1  xcloner-backup-and-restore                           70,000+
      1  social-nation-itsme-oauth-login-multibutton               0+
      1  employee-directory                                      400+
      1  lifterlms                                             6,000+
      2  wp-meta-data-filter-and-taxonomy-filter              10,000+
      1  opal-hotel-room-booking                                 800+
      4  joebooking                                              300+
      3  wp-chatbull                                              60+
      5  next-active-directory-integration                     2,000+
      1  wp-travel                                               500+
      2  wp-hr-manager                                            10+
      1  branding                                                200+
     37  easy-affiliate-cloaker                                   10+
      8  logy                                                     10+
      2  webxpay-payment-gateway-for-woocommerce                  40+
      1  yith-woocommerce-request-a-quote                     10,000+
      1  leaflet-maps-marker                                  40,000+
      2  trusona                                                 300+
      8  premium-seo-pack-light-version                          500+
      8  jannes-mannes-social-media-auto-publisher                 0+
      5  import-youtube-videos-as-wp-post                        900+
      1  learnpress                                           30,000+
      5  ga-experiments-plus-dev-edition                          10+
      5  static-html-output-plugin                             6,000+
      1  liveeditor                                              100+
      5  do-spaces-sync                                            0+
      5  dxw-members-only                                          0+
      1  deemly                                                    0+
      1  mazen-seo-connector                                      10+
      2  ssh-sftp-updater-support                             40,000+
      1  idea-board                                               10+
      2  wp-splashing-images                                      50+
      3  wpx-server-light                                         30+
      5  backup-wd                                             6,000+
      2  mucash-micro-payments                                    10+
      1  site-reviews                                          1,000+
      5  wp-stateless                                          1,000+
     39  mpl-publisher                                           100+
      3  wp-otp                                                   80+
      5  download-s3-content                                       0+
      5  cf7-spreadsheets                                         20+
      2  php-compatibility-checker                            40,000+
     38  rocket24-analytics                                        0+
     33  perfectdashboard                                        900+
      5  protect-wp-videos                                         0+
      1  allwebmenus-wordpress-menu-plugin                       200+
      8  yith-woocommerce-social-login                        10,000+
      2  easy-digital-downloads                               60,000+
      5  ider-login                                                0+
      8  join-us                                                   0+
      2  iwp-client                                          400,000+
      5  intelligence                                             80+
      2  jigoshop-ecommerce                                      300+
      1  solidres                                                200+
      8  auto-post-woocommerce-products                            0+
      1  wp-ticket                                               500+
      1  extranet                                                100+
      1  participants-database                                10,000+
     34  wp-blade-engine                                           0+
      1  campus-directory                                        100+
      5  wp-consent-receipt                                        0+
      2  backup-amazon-s3                                      1,000+
     47  cartrabbit                                                0+
      1  wp-ldap                                                   0+
      2  sg-cachepress                                       200,000+
      5  wp-seo-keyword-optimizer                              2,000+
      2  keyy                                                  1,000+
      8  awesome-studio                                           50+
      5  peek-uploader-to-s3-for-wpdm                              0+
      1  login-with-qr                                            10+
      1  woo-rfq-for-woocommerce                               1,000+
      2  auxin-elements                                        2,000+
     37  ing-psp                                                 200+
      5  gmail-smtp                                           20,000+
      1  iamport-for-easy-digital-downloads                       40+
      2  woo-cart-fields                                           0+
      1  marketengine                                             50+
      2  cloudflare                                          100,000+
      4  buddypress-smf-import                                     0+
      5  aceide                                               10,000+
      3  wp-cleanfix                                           3,000+
      1  data-generator                                           10+
      6  total-security                                        2,000+
      2  contact-bot                                             100+
      8  fb-instant-articles                                  70,000+
      1  yith-essential-kit-for-woocommerce-1                 20,000+
      2  duplicator-clone                                      5,000+
      1  postmatic-social-commenting                             300+
     67  beeketing-for-woocommerce                             3,000+
      7  wp-pgp-encrypted-emails                                 200+
      1  wp-hotelier                                             500+
      2  database-backup-amazon-s3                               500+
      2  post-crumbs                                               0+
      2  wpguards                                                 30+
      3  wpx-cron-manager-light                                  600+
      3  best-configuration                                       10+
      8  wp-online-store                                       1,000+
      1  sell-media                                            2,000+
      2  wechat-broadcast                                        100+
     36  woo-payment-highway                                       0+
      1  comments-with-social-login                               10+
      1  httpcs-validation                                         0+
     33  reservation-engine                                       10+
      5  pxp-press                                                 0+
      1  software-issue-manager                                  100+
      2  doolox-node                                               0+
      1  mystyle-custom-product-designer                         100+
      1  woo-easy-autocomplete-order                               0+
      1  securelogin                                              10+
     32  ginger-woocommerce                                       40+
      4  socializr                                                 0+
      2  wd-google-analytics                                  20,000+
      2  extrawatch-pro                                          600+
      8  nextend-facebook-connect                            100,000+
      1  pro-vip                                                 200+
      5  launchkey                                               100+
      2  cidram                                                  200+
     35  s2member                                             30,000+
      1  bemo-a-z-index                                          200+
     10  akamai                                                   90+
      5  grid-social-boxes                                        10+
      2  woocommerce-germanized                               30,000+
      2  drupal-password-encryption                              100+
      1  intelly-posts-footer-manager                            100+
     67  better-coupon-box                                       200+
      2  constant-contact-forms                               70,000+
     50  civic-sip                                                30+
      4  buddypress                                          200,000+
      2  cyan-backup                                           2,000+
      1  user-registration                                       700+
      2  wp-backup-manager                                        20+
     13  gianism                                               1,000+
      3  booxtream-for-woocommerce                                20+
     33  translation-connectors                                    0+
      5  ilab-media-tools                                        400+
      1  placeholder-images                                        0+
      2  analytics-counter                                    50,000+
      1  charitable                                           10,000+
      2  laterpay                                                 30+
      5  dashylite                                                 0+
      2  woocommerce-products-filter                          50,000+
      5  gecko-google-calendar                                     0+
      3  wp-bannerize-pro                                        800+
      4  pay-again-gateway                                         0+
      2  updraftplus                                       1,000,000+
      2  moosend-email-marketing                                  10+
      1  travelmap-blog                                          300+
      1  wp-oer                                                    0+
      2  simple-2fa                                                0+
      1  graphflow-analytics                                      30+
     34  sales-pop                                               900+
      8  chatbot-for-facebook                                     30+
      4  aweber-wordpress-plugin                                  20+
      1  wc-product-compare                                       10+
      2  forms-by-made-it                                         30+
     33  setka-workflow                                            0+
      1  qr-user-login                                            20+
      2  giga-messenger-bots                                     500+
      2  backuppressgenius                                        10+
      1  intelly-countdown                                     2,000+
      2  ninja-forms                                       1,000,000+
      1  webpayplus-pst                                           90+
      1  wild-apricot-login                                      600+
      1  simplr-registration-form                              5,000+
      1  calculated-fields-form                               30,000+
      2  nutickets-events                                         40+
      3  wpadmin-backup-to-aws4                                   10+
      5  product-lister-walmart                                    0+
      2  nossl-protect-your-website                               10+
      1  request-a-quote                                         900+
      1  wp-widget-master                                         60+
      2  sitelock                                              2,000+
      1  causes                                                    0+
      2  bravo-security                                            0+
      1  post-type-x                                             900+
     35  alchemyst-forms                                          20+
      1  wallets                                                 300+
      1  ithemes-sync                                         80,000+
      2  pdf-forms                                               100+
     33  setka-editor                                          4,000+
      1  rsvp                                                  5,000+
      3  read-offline                                            600+
     14  wordfence                                         2,000,000+
      2  integration-dynamics                                    400+
      1  awesome-support                                       6,000+
      2  wp-simple-firewall                                   70,000+
      1  contact-form-add                                     30,000+
      8  i2csmobile-for-woo                                       10+
      2  erp                                                   4,000+
      1  planso-forms                                         10,000+
      4  darwin-backup                                           600+
      2  worker                                              500,000+
    105  ose-firewall                                          1,000+
     12  ultimate-security-checker                             7,000+
      2  fomo                                                    100+
     10  stackmover-lite                                           0+
      2  wpshopgermany-free                                      100+
      1  wp-member-login-by-spiral                                60+
      5  simba-plugin-updates-manager                            300+
      2  awebooking                                            6,000+
      2  google-pagespeed-insights                            20,000+
      1  give                                                 30,000+
      1  geodirectory                                         10,000+
      4  wpprivakeysignon                                          0+
      1  linkedin-login                                          800+
      2  aretex-ecommerce-services                                 0+
      4  airstory                                                300+
      5  gnaritas-amazon-ses                                       0+
      2  h5p                                                   8,000+
      1  wp-easy-contact                                         800+
      1  invoicing                                             1,000+
      3  wpx-shortcodes-manager-light                             70+
      1  mp-restaurant-menu                                    4,000+
      1  two-factor                                            2,000+
      1  wp-easy-events                                          100+
      2  wp-management-controller                                100+
     45  axis-subscriptions                                       30+
      8  wordpress-social-login                               70,000+
      2  updraftcentral                                        2,000+
      1  ecommerce-product-catalog                            10,000+
      4  iamport-for-woocommerce                               1,000+
     33  motiforms                                                 0+
      8  wow-facebook-login                                      300+
      1  shift8-ip-intel                                           0+
      1  mis-cursos                                                0+
      2  duplicator                                        1,000,000+
      2  promo                                                    30+
      5  stormpath                                                10+
     58  exploit-scanner                                      50,000+
      1  buddyforms                                            3,000+
      2  xmpp-auth                                                10+
      1  stripe                                               10,000+
      1  intelly-welcome-bar                                     100+
      1  zeus-admin-theme                                        600+
      1  wp-session-manager                                    5,000+
      2  lct-useful-shortcodes-functions                          10+

#9 @s2375840
20 months ago

I'm a plugin author mentioned in the post above.

So does upgrading this library affect us at all, do we have to make any changes?

#10 @dd32
20 months ago

Plugins calling random_int() and random_bytes() should be fine with the changes made here, I'm not really sure why the plugins list was posted :)

Something I am going to note here, is that [42130] Updated Random_Compat from 1.2.1 to 2.0.11, which in the process dropped the OpenSSL provider for WordPress 5.0.

It's possible that the loss of OpenSSL here could be an issue for some environments, notably locked down linux environments and older Windows systems off the top of my head.

I'm contemplating if we shouldn't add the OpenSSL Handler back in, it'll mean we diverge from upstream, but might be the safest option overall for WordPress.

#11 follow-up: @Ipstenu
20 months ago

@dd32 It was asked in Slack to see who was using it and if they'd have issues. As I said, I don't think anyone will have issues but listing them was no work for me after the scan so I figured I'd share.

#12 in reply to: ↑ 11 @dd32
20 months ago

Replying to Ipstenu:

@dd32 It was asked in Slack to see who was using it and if they'd have issues. As I said, I don't think anyone will have issues but listing them was no work for me after the scan so I figured I'd share.

Ah cool, no problem either way :)

This ticket was mentioned in Slack in #core by paragonie. View the logs.


19 months ago

#14 follow-up: @paragoninitiativeenterprises
19 months ago

@dd32 - The risk for breakage should be very minimal, but I would add a recommendation in the 4.9.2 release notes in case it does happen.

If a plugin breaks with this upgrade:

  • Replace random_int() with wp_rand()
  • Replace random_bytes() with a function that uses wp_rand() to construct a string.

For example:

<?php
/**
 * Alternative to random_bytes() that uses wp_rand().
 *
 * @param int $len
 * @return string
 * @throws Exception
 * @throws TypeError
 */
function wp_random_byte_string($len = 0)
{
    if (!is_int($len)) {
        throw new TypeError("Length must be an integer.");
    }
    if ($len < 1) {
        throw new Exception("Length must be greater than 0");
    }
    $chr = '';
    for ($i = 0; $i < $len; ++$i) {
        // pack('C', $int) is equivalent to chr($int), without cache timing leaks
        // See: https://paragonie.com/blog/2017/02/cryptographically-secure-php-development#chr
        $chr .= pack('C', wp_rand(0, 255));
    }
    return $chr;
}

This will allow you gracefully handle degradation. (Feel free to adapt this sample function for core if you want.)

#15 in reply to: ↑ 14 @dd32
19 months ago

Replying to paragoninitiativeenterprises:

@dd32 - The risk for breakage should be very minimal, but I would add a recommendation in the 4.9.2 release notes in case it does happen.

We've not updated the library in 4.9.2, instead I've modified the old version to parse correctly.

It's likely I'll hack the OpenSSL variant back in to be on the safe side as I'm not going to attempt to setup one of these old windows servers.

Note: See TracTickets for help on using tickets.