[wp-trac] [WordPress Trac] #10727: Update phpass to version 0.2 (check /dev/urandom before accessing it)
WordPress Trac
wp-trac at lists.automattic.com
Sat Oct 3 12:08:06 UTC 2009
#10727: Update phpass to version 0.2 (check /dev/urandom before accessing it)
--------------------------+-------------------------------------------------
Reporter: hakre | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.9
Component: General | Version: 2.8.4
Severity: normal | Keywords: has-patch tested
--------------------------+-------------------------------------------------
Comment(by dd32):
> $this->random_state = microtime() . (function_exists('getmypid') ?
getmypid() : '') . uniqid(rand(), TRUE);
IMO, the usage of getmypid() should be removed entirely, Its not a
reliable source of crypto-safe random data.. This is due to Process ID's
having weak entropy..
To quote the PHP Manual even: "Process IDs are not unique, thus they are a
weak entropy source. We recommend against relying on pids in security-
dependent contexts."
I'd support removal of the getmypid() branch all together, and rely upon
uniqid(rand(), TRUE) instead, as its going to be actually random.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10727#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list