[wp-trac] [WordPress Trac] #43771: use wp_rand instead of mt_rand()
WordPress Trac
noreply at wordpress.org
Sun Jun 3 11:30:27 UTC 2018
#43771: use wp_rand instead of mt_rand()
-------------------------+--------------------------
Reporter: BjornW | Owner: johnbillion
Type: enhancement | Status: reviewing
Priority: normal | Milestone: 4.9.7
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
-------------------------+--------------------------
Comment (by BjornW):
Replying to [comment:5 johnbillion]:
> Thanks for the report and the patch @BjornW!
>
> `mt_rand()` is also used in `update_option_new_admin_email()` for the
same purpose, so this instance will need to be changed too.
>
> `md5()` is only used here as a hashing function, not for a cryptographic
purpose. The randomness comes from `(mt|wp)_rand()` and `md5()` just
converts the result into a user-facing, URL-safe format. If the hash was
successfully reverse engineered it wouldn't expose any information that
isn't already stored along side it in the `adminhash` option.
Hi @johnbillion, Thanks for your feedback.
I have updated the patch so it includes `update_option_new_admin_email()`
in ''wp-admin/includes/misc.php'' as well.
I'm sorry about posting this here, but after reading
[https://hackerone.com/wordpress WordPress' Policy on HackerOne] I got the
impression not adhering to the guidelines over there would be considered a
very '**Bad Thing™**'... Since I couldn't produce a Proof-of-Concept I
assumed Trac would suffice instead of HackerOne. Next time I'll err
towards HackerOne ;)
PS: I've also done a quick grep (`grep -nir 'mt_rand' --include \*.php
--exclude .svn`) on trunk to see the other uses of `mt_rand()` instead of
`wp_rand()`, but I'm not ready yet with my assessment of these to see if
these need changes as well. I'll update this ticket if any (IMHO) need to
be changed.
Thanks
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43771#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list