Feeling Lucky
?
[#8351] - Use random_bytes() backfill in JCrypt::genRandomBytes (Fix #8325)
- Closed
- 11 Nov 2015
- Medium
- Build: staging
- # 8351
- Diff
- mbabker:8325-fix
- Success The Travis CI build passed Details
User tests: Successful: Unsuccessful:
Frankly I have no idea if this is right or backward compatible, but it worked in the one test case I ran through.
As suggested, this PR implements the random_compat backfill and replaces the contents of JCrypt::genRandomBytes() with a proxied call to the random_bytes() function added to PHP 7 (and backfilled by this library).
The quickest test cases to validate this works is to run through the installer; the config's secret value should still be generated. Also, the stats plugin indirectly calls this method to generate its hash and that should continue to be generated.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Labels |
Added:
?
|
||
zero-24
- | Category | ⇒ | Libraries |
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-11-11 01:39:19 |
| Closed_By | ⇒ | wilsonge |
| Milestone |
Added: |
||
Backwards compatible: Since random_compat is a polyfill library, it's the one library where we deemed it acceptable to support ancient versions of PHP (yes, even 5.2.x). As a result, WordPress is adopting it in 4.4.
The patch looks good to me, but I'm one of the authors of the polyfill, so I'd definitely suggest asking any security researchers you've communicated with to share their thoughts first.