Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#6293 closed defect (bug) (fixed)

phpass should use uniqid(), not getmypid()

Reported by: tellyworth Owned by:
Milestone: 2.5 Priority: normal
Severity: blocker Version: 2.5
Component: General Keywords: has-patch
Focuses: Cc:


class-phpass.php uses this code to generate a random string:

$this->random_state = microtime() . getmypid();

It shouldn't, because (a) it reinvents the uniqid() wheel, and (b) getmypid() is evidently disabled on some locked-down PHP installs:


The patch changes it to call uniqid() instead.

Attachments (1)

phpass-uniqid-r7392.patch (444 bytes) - added by tellyworth 9 years ago.

Download all attachments as: .zip

Change History (10)

#1 @Viper007Bond
9 years ago

  • Severity changed from normal to blocker
  • Version set to 2.5

phpass is a 3rd party class and I believe the developers prefer not to modify them in most cases.

This may be a special case though as it's a blocker.

#2 @Viper007Bond
9 years ago

Oh, also:


Process IDs are not unique, thus they are a weak entropy source. We recommend against relying on pids in security-dependent contexts.

#3 @DD32
9 years ago

phpass is a 3rd party class and I believe the developers prefer not to modify them in most cases.

Cases where its a Security issue or It doesnt work properly can be classified as bugs, AFAIK, Its ok to fix bugs in the version WordPress uses, and submit the patches up stream for consideration, or a better fix.

#4 @Viper007Bond
9 years ago

Yeah, I know. :)

#5 @ryan
9 years ago

Solar Designer, author of phpass, is investigating.

#7 @ryan
9 years ago

Solar Designer sent me a detailed reply, which I'll try to summarize here. In general, getmypid() is sufficient for this fallback code path even if disabled, but if we want to address the warning we can use this:

$this->random_state = microtime() . (function_exists("getmypid") ? getmypid() : "") . uniqid(rand(), TRUE);

This won't go into upstream phpass for awhile due to it's PHP3 dependency, but we can add it if we like.

#8 @westi
9 years ago

  • Cc westi added

#9 @ryan
9 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7421]) Use uniqid if getmypid is disabled. Props Solar Designer. fixes #6293

Note: See TracTickets for help on using tickets.