--- a/wp/wp-includes/random_compat/random_bytes_dev_urandom.php Wed Sep 21 18:19:35 2022 +0200
+++ b/wp/wp-includes/random_compat/random_bytes_dev_urandom.php Tue Sep 27 16:37:53 2022 +0200
@@ -1,22 +1,22 @@
<?php
/**
- * Random_* Compatibility Library
+ * Random_* Compatibility Library
* for using the new PHP 7 random_* API in PHP 5 projects
- *
+ *
* The MIT License (MIT)
*
- * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises
- *
+ * Copyright (c) 2015 - 2018 Paragon Initiative Enterprises
+ *
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
- *
+ *
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
- *
+ *
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -36,6 +36,7 @@
* random numbers in accordance with best practices
*
* Why we use /dev/urandom and not /dev/random
+ * @ref https://www.2uo.de/myths-about-urandom
* @ref http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers
*
* @param int $bytes
@@ -46,25 +47,47 @@
*/
function random_bytes($bytes)
{
+ /** @var resource $fp */
static $fp = null;
+
/**
* This block should only be run once
*/
if (empty($fp)) {
/**
- * We use /dev/urandom if it is a char device.
- * We never fall back to /dev/random
+ * We don't want to ever read C:\dev\random, only /dev/urandom on
+ * Unix-like operating systems. While we guard against this
+ * condition in random.php, it doesn't hurt to be defensive in depth
+ * here.
+ *
+ * To that end, we only try to open /dev/urandom if we're on a Unix-
+ * like operating system (which means the directory separator is set
+ * to "/" not "\".
*/
- $fp = fopen('/dev/urandom', 'rb');
- if (!empty($fp)) {
- $st = fstat($fp);
- if (($st['mode'] & 0170000) !== 020000) {
- fclose($fp);
- $fp = false;
+ if (DIRECTORY_SEPARATOR === '/') {
+ if (!is_readable('/dev/urandom')) {
+ throw new Exception(
+ 'Environment misconfiguration: ' .
+ '/dev/urandom cannot be read.'
+ );
+ }
+ /**
+ * We use /dev/urandom if it is a char device.
+ * We never fall back to /dev/random
+ */
+ /** @var resource|bool $fp */
+ $fp = fopen('/dev/urandom', 'rb');
+ if (is_resource($fp)) {
+ /** @var array<string, int> $st */
+ $st = fstat($fp);
+ if (($st['mode'] & 0170000) !== 020000) {
+ fclose($fp);
+ $fp = false;
+ }
}
}
- if (!empty($fp)) {
+ if (is_resource($fp)) {
/**
* stream_set_read_buffer() does not exist in HHVM
*
@@ -83,6 +106,7 @@
}
try {
+ /** @var int $bytes */
$bytes = RandomCompat_intval($bytes);
} catch (TypeError $ex) {
throw new TypeError(
@@ -103,7 +127,7 @@
* if (empty($fp)) line is logic that should only be run once per
* page load.
*/
- if (!empty($fp)) {
+ if (is_resource($fp)) {
/**
* @var int
*/
@@ -123,29 +147,28 @@
*/
$read = fread($fp, $remaining);
if (!is_string($read)) {
- if ($read === false) {
- /**
- * We cannot safely read from the file. Exit the
- * do-while loop and trigger the exception condition
- *
- * @var string|bool
- */
- $buf = false;
- break;
- }
+ /**
+ * We cannot safely read from the file. Exit the
+ * do-while loop and trigger the exception condition
+ *
+ * @var string|bool
+ */
+ $buf = false;
+ break;
}
/**
* Decrease the number of bytes returned from remaining
*/
$remaining -= RandomCompat_strlen($read);
/**
- * @var string|bool
+ * @var string $buf
*/
- $buf = $buf . $read;
+ $buf .= $read;
} while ($remaining > 0);
/**
* Is our result valid?
+ * @var string|bool $buf
*/
if (is_string($buf)) {
if (RandomCompat_strlen($buf) === $bytes) {