#42439 closed defect (bug) (fixed)
Update random_compat external library for PHP 7 linting failure
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 4.9.2 | Priority: | normal |
| Severity: | normal | Version: | 4.9 |
| Component: | External Libraries | Keywords: | fixed-major |
| Focuses: | Cc: |
Description
Currently the random_compat library included with WordPress core is the only part that fails against PHP 7 linting. As a tech at WP Engine I've noticed that our customers run into problems when pushing to their remote repositories, so I did a bit of investigation and it looks like the external library included was updated to correct this as of October 2016 as commented here: https://core.trac.wordpress.org/ticket/35665#comment:6
I've created the attached diff and it passes all of the unit tests included with core. I've also verified that it lints correctly via the following command.
for file in $(find . -type f -name "*.php"); do php -l $file; done | grep -v "No syntax errors"
#35665 - Previously updated to version 1.2.1 in ticket #35665
Attachments (1)
Change History (16)
#2
@
6 years ago
Diffing the versions in github looks sane, as does this patch.
It's always been expected that these files would not parse under PHP7, as they're not loaded there. Unfortunately it seems that WPEngine blocks deploying these files, causing issues (IMHO, it's WPE's responsibility to allow them to be deployed).
While I have no issue updating these, as we're so close to the 4.9 release, I'm tempted to leave it until 4.9.1 or 5.0 - even though I don't expect it'll cause any breakage.
#3
@
6 years ago
- Milestone changed from Awaiting Review to 4.9.1
Okay, lets get this in 4.9.1 - I'll review once 4.9 is out. At the minimum we'll remove the PHP7 parse errors from 4.9.1 if the changes upstream are larger than expected.
#7
@
6 years ago
- Owner set to dd32
- Resolution set to fixed
- Status changed from new to closed
In 42344:
#8
@
6 years ago
Did a scan to see who was using this. Doesn't look (to me) like anything SHOULD break.
Calling random_int()
67 matching plugins
Matches Plugin Active installs
======= ====== ===============
1 miniorange-login-with-eve-online-google-facebook 200+
1 ilmomasiina-event-manager 0+
1 xcloner-backup-and-restore 70,000+
2 kocuj-sitemap 2,000+
2 wp-chatbull 60+
1 next-active-directory-integration 2,000+
1 wp-concours 300+
1 advanced-dynamic-pricing-for-woocommerce 0+
1 cart-recovery 200+
1 mazen-seo-connector 10+
1 hacklog-remote-image-autosave 3,000+
1 rocket24-analytics 0+
1 perfectdashboard 900+
2 pwaplusphp 2,000+
2 testimonial-master 50+
1 better-wp-security 800,000+
1 pay-post-by-sms 0+
1 sunny 1,000+
1 apocalypse-meow 1,000+
1 fomo-payment-gateway-for-woocommerce 20+
2 business-master 10+
2 random-user-ids 20+
1 ing-psp 200+
2 mansplainer 0+
1 total-security 2,000+
2 automatic-comment-scheduler 80+
1 beeketing-for-woocommerce 3,000+
2 wp-pgp-encrypted-emails 200+
1 google-maps 50,000+
1 live-weather-station 3,000+
2 quiz-master-next 10,000+
1 woo-payment-highway 0+
1 reservation-engine 10+
2 jekyll-exporter 800+
3 formlift 300+
1 woo-ideal-gateway 100+
4 cidram 200+
1 s2member 30,000+
1 questionnaire 500+
3 mg-member-control 0+
2 woocommerce-germanized 30,000+
1 better-coupon-box 200+
1 civic-sip 30+
1 user-registration 700+
1 custom-tabs-shortcodes 0+
1 translation-connectors 0+
1 look-see-security-scanner 1,000+
2 jetpack 4,000,000+
1 sales-pop 900+
1 unc-gallery 10+
1 everest-review-lite 0+
2 quote-master 1,000+
1 salon-booking-system 3,000+
1 frontend-dashboard-custom-post 0+
14 math-quiz 500+
1 setka-editor 4,000+
3 wordfence 2,000,000+
1 wp-demo-buddy 0+
1 awesome-support 6,000+
1 erp 4,000+
1 well-handled 60+
2 woorewards 10+
1 admin-menu 300+
1 axis-subscriptions 30+
1 convertiser-widgets 50+
2 wptimetoread 0+
1 upstream 900+
calling random_bytes()
241 matching plugins
Matches Plugin Active installs
======= ====== ===============
5 wp-rekogni 0+
2 wp-native-php-sessions 10,000+
1 eduadmin-booking 10+
2 miniorange-login-with-eve-online-google-facebook 200+
1 wpx-maintenance-pro-light 20+
1 xcloner-backup-and-restore 70,000+
1 social-nation-itsme-oauth-login-multibutton 0+
1 employee-directory 400+
1 lifterlms 6,000+
2 wp-meta-data-filter-and-taxonomy-filter 10,000+
1 opal-hotel-room-booking 800+
4 joebooking 300+
3 wp-chatbull 60+
5 next-active-directory-integration 2,000+
1 wp-travel 500+
2 wp-hr-manager 10+
1 branding 200+
37 easy-affiliate-cloaker 10+
8 logy 10+
2 webxpay-payment-gateway-for-woocommerce 40+
1 yith-woocommerce-request-a-quote 10,000+
1 leaflet-maps-marker 40,000+
2 trusona 300+
8 premium-seo-pack-light-version 500+
8 jannes-mannes-social-media-auto-publisher 0+
5 import-youtube-videos-as-wp-post 900+
1 learnpress 30,000+
5 ga-experiments-plus-dev-edition 10+
5 static-html-output-plugin 6,000+
1 liveeditor 100+
5 do-spaces-sync 0+
5 dxw-members-only 0+
1 deemly 0+
1 mazen-seo-connector 10+
2 ssh-sftp-updater-support 40,000+
1 idea-board 10+
2 wp-splashing-images 50+
3 wpx-server-light 30+
5 backup-wd 6,000+
2 mucash-micro-payments 10+
1 site-reviews 1,000+
5 wp-stateless 1,000+
39 mpl-publisher 100+
3 wp-otp 80+
5 download-s3-content 0+
5 cf7-spreadsheets 20+
2 php-compatibility-checker 40,000+
38 rocket24-analytics 0+
33 perfectdashboard 900+
5 protect-wp-videos 0+
1 allwebmenus-wordpress-menu-plugin 200+
8 yith-woocommerce-social-login 10,000+
2 easy-digital-downloads 60,000+
5 ider-login 0+
8 join-us 0+
2 iwp-client 400,000+
5 intelligence 80+
2 jigoshop-ecommerce 300+
1 solidres 200+
8 auto-post-woocommerce-products 0+
1 wp-ticket 500+
1 extranet 100+
1 participants-database 10,000+
34 wp-blade-engine 0+
1 campus-directory 100+
5 wp-consent-receipt 0+
2 backup-amazon-s3 1,000+
47 cartrabbit 0+
1 wp-ldap 0+
2 sg-cachepress 200,000+
5 wp-seo-keyword-optimizer 2,000+
2 keyy 1,000+
8 awesome-studio 50+
5 peek-uploader-to-s3-for-wpdm 0+
1 login-with-qr 10+
1 woo-rfq-for-woocommerce 1,000+
2 auxin-elements 2,000+
37 ing-psp 200+
5 gmail-smtp 20,000+
1 iamport-for-easy-digital-downloads 40+
2 woo-cart-fields 0+
1 marketengine 50+
2 cloudflare 100,000+
4 buddypress-smf-import 0+
5 aceide 10,000+
3 wp-cleanfix 3,000+
1 data-generator 10+
6 total-security 2,000+
2 contact-bot 100+
8 fb-instant-articles 70,000+
1 yith-essential-kit-for-woocommerce-1 20,000+
2 duplicator-clone 5,000+
1 postmatic-social-commenting 300+
67 beeketing-for-woocommerce 3,000+
7 wp-pgp-encrypted-emails 200+
1 wp-hotelier 500+
2 database-backup-amazon-s3 500+
2 post-crumbs 0+
2 wpguards 30+
3 wpx-cron-manager-light 600+
3 best-configuration 10+
8 wp-online-store 1,000+
1 sell-media 2,000+
2 wechat-broadcast 100+
36 woo-payment-highway 0+
1 comments-with-social-login 10+
1 httpcs-validation 0+
33 reservation-engine 10+
5 pxp-press 0+
1 software-issue-manager 100+
2 doolox-node 0+
1 mystyle-custom-product-designer 100+
1 woo-easy-autocomplete-order 0+
1 securelogin 10+
32 ginger-woocommerce 40+
4 socializr 0+
2 wd-google-analytics 20,000+
2 extrawatch-pro 600+
8 nextend-facebook-connect 100,000+
1 pro-vip 200+
5 launchkey 100+
2 cidram 200+
35 s2member 30,000+
1 bemo-a-z-index 200+
10 akamai 90+
5 grid-social-boxes 10+
2 woocommerce-germanized 30,000+
2 drupal-password-encryption 100+
1 intelly-posts-footer-manager 100+
67 better-coupon-box 200+
2 constant-contact-forms 70,000+
50 civic-sip 30+
4 buddypress 200,000+
2 cyan-backup 2,000+
1 user-registration 700+
2 wp-backup-manager 20+
13 gianism 1,000+
3 booxtream-for-woocommerce 20+
33 translation-connectors 0+
5 ilab-media-tools 400+
1 placeholder-images 0+
2 analytics-counter 50,000+
1 charitable 10,000+
2 laterpay 30+
5 dashylite 0+
2 woocommerce-products-filter 50,000+
5 gecko-google-calendar 0+
3 wp-bannerize-pro 800+
4 pay-again-gateway 0+
2 updraftplus 1,000,000+
2 moosend-email-marketing 10+
1 travelmap-blog 300+
1 wp-oer 0+
2 simple-2fa 0+
1 graphflow-analytics 30+
34 sales-pop 900+
8 chatbot-for-facebook 30+
4 aweber-wordpress-plugin 20+
1 wc-product-compare 10+
2 forms-by-made-it 30+
33 setka-workflow 0+
1 qr-user-login 20+
2 giga-messenger-bots 500+
2 backuppressgenius 10+
1 intelly-countdown 2,000+
2 ninja-forms 1,000,000+
1 webpayplus-pst 90+
1 wild-apricot-login 600+
1 simplr-registration-form 5,000+
1 calculated-fields-form 30,000+
2 nutickets-events 40+
3 wpadmin-backup-to-aws4 10+
5 product-lister-walmart 0+
2 nossl-protect-your-website 10+
1 request-a-quote 900+
1 wp-widget-master 60+
2 sitelock 2,000+
1 causes 0+
2 bravo-security 0+
1 post-type-x 900+
35 alchemyst-forms 20+
1 wallets 300+
1 ithemes-sync 80,000+
2 pdf-forms 100+
33 setka-editor 4,000+
1 rsvp 5,000+
3 read-offline 600+
14 wordfence 2,000,000+
2 integration-dynamics 400+
1 awesome-support 6,000+
2 wp-simple-firewall 70,000+
1 contact-form-add 30,000+
8 i2csmobile-for-woo 10+
2 erp 4,000+
1 planso-forms 10,000+
4 darwin-backup 600+
2 worker 500,000+
105 ose-firewall 1,000+
12 ultimate-security-checker 7,000+
2 fomo 100+
10 stackmover-lite 0+
2 wpshopgermany-free 100+
1 wp-member-login-by-spiral 60+
5 simba-plugin-updates-manager 300+
2 awebooking 6,000+
2 google-pagespeed-insights 20,000+
1 give 30,000+
1 geodirectory 10,000+
4 wpprivakeysignon 0+
1 linkedin-login 800+
2 aretex-ecommerce-services 0+
4 airstory 300+
5 gnaritas-amazon-ses 0+
2 h5p 8,000+
1 wp-easy-contact 800+
1 invoicing 1,000+
3 wpx-shortcodes-manager-light 70+
1 mp-restaurant-menu 4,000+
1 two-factor 2,000+
1 wp-easy-events 100+
2 wp-management-controller 100+
45 axis-subscriptions 30+
8 wordpress-social-login 70,000+
2 updraftcentral 2,000+
1 ecommerce-product-catalog 10,000+
4 iamport-for-woocommerce 1,000+
33 motiforms 0+
8 wow-facebook-login 300+
1 shift8-ip-intel 0+
1 mis-cursos 0+
2 duplicator 1,000,000+
2 promo 30+
5 stormpath 10+
58 exploit-scanner 50,000+
1 buddyforms 3,000+
2 xmpp-auth 10+
1 stripe 10,000+
1 intelly-welcome-bar 100+
1 zeus-admin-theme 600+
1 wp-session-manager 5,000+
2 lct-useful-shortcodes-functions 10+
#9
@
6 years ago
I'm a plugin author mentioned in the post above.
So does upgrading this library affect us at all, do we have to make any changes?
#10
@
6 years ago
Plugins calling random_int() and random_bytes() should be fine with the changes made here, I'm not really sure why the plugins list was posted :)
Something I am going to note here, is that [42130] Updated Random_Compat from 1.2.1 to 2.0.11, which in the process dropped the OpenSSL provider for WordPress 5.0.
It's possible that the loss of OpenSSL here could be an issue for some environments, notably locked down linux environments and older Windows systems off the top of my head.
I'm contemplating if we shouldn't add the OpenSSL Handler back in, it'll mean we diverge from upstream, but might be the safest option overall for WordPress.
#11
follow-up:
↓ 12
@
6 years ago
@dd32 It was asked in Slack to see who was using it and if they'd have issues. As I said, I don't think anyone will have issues but listing them was no work for me after the scan so I figured I'd share.
#12
in reply to:
↑ 11
@
6 years ago
Replying to Ipstenu:
@dd32 It was asked in Slack to see who was using it and if they'd have issues. As I said, I don't think anyone will have issues but listing them was no work for me after the scan so I figured I'd share.
Ah cool, no problem either way :)
This ticket was mentioned in Slack in #core by paragonie. View the logs.
6 years ago
#14
follow-up:
↓ 15
@
6 years ago
@dd32 - The risk for breakage should be very minimal, but I would add a recommendation in the 4.9.2 release notes in case it does happen.
If a plugin breaks with this upgrade:
- Replace
random_int()withwp_rand() - Replace
random_bytes()with a function that useswp_rand()to construct a string.
For example:
<?php
/**
* Alternative to random_bytes() that uses wp_rand().
*
* @param int $len
* @return string
* @throws Exception
* @throws TypeError
*/
function wp_random_byte_string($len = 0)
{
if (!is_int($len)) {
throw new TypeError("Length must be an integer.");
}
if ($len < 1) {
throw new Exception("Length must be greater than 0");
}
$chr = '';
for ($i = 0; $i < $len; ++$i) {
// pack('C', $int) is equivalent to chr($int), without cache timing leaks
// See: https://paragonie.com/blog/2017/02/cryptographically-secure-php-development#chr
$chr .= pack('C', wp_rand(0, 255));
}
return $chr;
}
This will allow you gracefully handle degradation. (Feel free to adapt this sample function for core if you want.)
#15
in reply to:
↑ 14
@
6 years ago
Replying to paragoninitiativeenterprises:
@dd32 - The risk for breakage should be very minimal, but I would add a recommendation in the 4.9.2 release notes in case it does happen.
We've not updated the library in 4.9.2, instead I've modified the old version to parse correctly.
It's likely I'll hack the OpenSSL variant back in to be on the safe side as I'm not going to attempt to setup one of these old windows servers.
Diff submission for ticket # 42439