[wp-trac] [WordPress Trac] #43771: use wp_rand instead of mt_rand()
WordPress Trac
noreply at wordpress.org
Wed May 30 10:07:33 UTC 2018
#43771: use wp_rand instead of mt_rand()
-------------------------+--------------------------
Reporter: BjornW | Owner: johnbillion
Type: enhancement | Status: reviewing
Priority: normal | Milestone: 4.9.7
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
-------------------------+--------------------------
Changes (by johnbillion):
* keywords: dev-feedback has-patch 2nd-opinion => needs-patch
* owner: (none) => johnbillion
* version: trunk =>
* status: new => reviewing
* milestone: Awaiting Review => 4.9.7
Comment:
Thanks for the report and the patch @BjornW!
`mt_rand()` is also used in `update_option_new_admin_email()` for the same
purpose, so this instance will need to be changed too.
`md5()` is only used here as a hashing function, not for a cryptographic
purpose. The randomness comes from `(mt|wp)_rand()` and `md5()` just
converts the result into a user-facing, URL-safe format. If the hash was
successfully reverse engineered it wouldn't expose any information that
isn't already stored along side it in the `adminhash` option.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43771#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list