[wp-trac] [WordPress Trac] #19571: wp_rand() can return a value outside the requested range
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 15 21:36:14 UTC 2011
#19571: wp_rand() can return a value outside the requested range
--------------------------+-----------------------------
Reporter: mdawaffe | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.3
Severity: normal | Keywords: has-patch
--------------------------+-----------------------------
On some 32bit hosts, the Entropy builds of PHP truncate integers larger
than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them as floats.
{{{
var_dump( 3000000000 === 2147483647 ); // true
}}}
This can cause {{{wp_rand()}}} to return a value outside the requested
range. That unexpected value in turn breaks {{{wp_generate_password()}}},
which can have security ramifications.
The entropy builds of PHP can be downloaded from:
* http://taracque.hu/php5/
* http://www.entropy.ch/software/macosx/php/
* http://blog.liip.ch/archive/2011/04/13/php-5-3-for-os-x-10-6-one-line-
installer.html
* http://php-osx.liip.ch/
* and probably others. Entropy is somewhat popular in the OS X community.
Steps to reproduce:
1. Find an old 32bit Mac.
2. curl -O '!http://taracque.hu/downloads/Entropy_PHP_5-3-8-0.zip'
3. unzip Entropy_PHP_5-3-8-0.zip
4. sudo installer -pkg Entropy_PHP_5-3-8-0.pkg -target "/"
5. /usr/local/php5/bin/php -r 'var_dump( 3000000000 === 2147483647 );'
The attached patch to `wp_rand()` checks for the problem and creates the
problematic large integer as a string cast to a float rather than as an
int (which, on working PHP builds, would be implicitly cast to a float).
The patch is also implemented as a plugin:
http://wordpress.org/extend/plugins/wp-rand-for-entropy-php/
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19571>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list