Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#6293 closed defect (bug) (fixed)

phpass should use uniqid(), not getmypid()

Reported by: tellyworth Owned by:
Milestone: 2.5 Priority: normal
Severity: blocker Version: 2.5
Component: General Keywords: has-patch
Focuses: Cc:


class-phpass.php uses this code to generate a random string:

$this->random_state = microtime() . getmypid();

It shouldn't, because (a) it reinvents the uniqid() wheel, and (b) getmypid() is evidently disabled on some locked-down PHP installs:


The patch changes it to call uniqid() instead.

Attachments (1)

phpass-uniqid-r7392.patch (444 bytes) - added by tellyworth 10 years ago.

Download all attachments as: .zip

Change History (10)

#1 @Viper007Bond
10 years ago

  • Severity changed from normal to blocker
  • Version set to 2.5

phpass is a 3rd party class and I believe the developers prefer not to modify them in most cases.

This may be a special case though as it's a blocker.

#2 @Viper007Bond
10 years ago

Oh, also:


Process IDs are not unique, thus they are a weak entropy source. We recommend against relying on pids in security-dependent contexts.

#3 @DD32
10 years ago

phpass is a 3rd party class and I believe the developers prefer not to modify them in most cases.

Cases where its a Security issue or It doesnt work properly can be classified as bugs, AFAIK, Its ok to fix bugs in the version WordPress uses, and submit the patches up stream for consideration, or a better fix.

#4 @Viper007Bond
10 years ago

Yeah, I know. :)

#5 @ryan
10 years ago

Solar Designer, author of phpass, is investigating.

#7 @ryan
10 years ago

Solar Designer sent me a detailed reply, which I'll try to summarize here. In general, getmypid() is sufficient for this fallback code path even if disabled, but if we want to address the warning we can use this:

$this->random_state = microtime() . (function_exists("getmypid") ? getmypid() : "") . uniqid(rand(), TRUE);

This won't go into upstream phpass for awhile due to it's PHP3 dependency, but we can add it if we like.

#8 @westi
10 years ago

  • Cc westi added

#9 @ryan
10 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7421]) Use uniqid if getmypid is disabled. Props Solar Designer. fixes #6293

Note: See TracTickets for help on using tickets.