diff -r be944660c56a -r 3d72ae0968f4 wp/wp-includes/random_compat/random_bytes_dev_urandom.php
--- a/wp/wp-includes/random_compat/random_bytes_dev_urandom.php	Wed Sep 21 18:19:35 2022 +0200
+++ b/wp/wp-includes/random_compat/random_bytes_dev_urandom.php	Tue Sep 27 16:37:53 2022 +0200
@@ -1,22 +1,22 @@
 <?php
 /**
- * Random_* Compatibility Library 
+ * Random_* Compatibility Library
  * for using the new PHP 7 random_* API in PHP 5 projects
- * 
+ *
  * The MIT License (MIT)
  *
- * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises
- * 
+ * Copyright (c) 2015 - 2018 Paragon Initiative Enterprises
+ *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
- * 
+ *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
- * 
+ *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -36,6 +36,7 @@
      * random numbers in accordance with best practices
      *
      * Why we use /dev/urandom and not /dev/random
+     * @ref https://www.2uo.de/myths-about-urandom
      * @ref http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers
      *
      * @param int $bytes
@@ -46,25 +47,47 @@
      */
     function random_bytes($bytes)
     {
+        /** @var resource $fp */
         static $fp = null;
+
         /**
          * This block should only be run once
          */
         if (empty($fp)) {
             /**
-             * We use /dev/urandom if it is a char device.
-             * We never fall back to /dev/random
+             * We don't want to ever read C:\dev\random, only /dev/urandom on
+             * Unix-like operating systems. While we guard against this
+             * condition in random.php, it doesn't hurt to be defensive in depth
+             * here.
+             *
+             * To that end, we only try to open /dev/urandom if we're on a Unix-
+             * like operating system (which means the directory separator is set
+             * to "/" not "\".
              */
-            $fp = fopen('/dev/urandom', 'rb');
-            if (!empty($fp)) {
-                $st = fstat($fp);
-                if (($st['mode'] & 0170000) !== 020000) {
-                    fclose($fp);
-                    $fp = false;
+            if (DIRECTORY_SEPARATOR === '/') {
+                if (!is_readable('/dev/urandom')) {
+                    throw new Exception(
+                        'Environment misconfiguration: ' .
+                        '/dev/urandom cannot be read.'
+                    );
+                }
+                /**
+                 * We use /dev/urandom if it is a char device.
+                 * We never fall back to /dev/random
+                 */
+                /** @var resource|bool $fp */
+                $fp = fopen('/dev/urandom', 'rb');
+                if (is_resource($fp)) {
+                    /** @var array<string, int> $st */
+                    $st = fstat($fp);
+                    if (($st['mode'] & 0170000) !== 020000) {
+                        fclose($fp);
+                        $fp = false;
+                    }
                 }
             }
 
-            if (!empty($fp)) {
+            if (is_resource($fp)) {
                 /**
                  * stream_set_read_buffer() does not exist in HHVM
                  *
@@ -83,6 +106,7 @@
         }
 
         try {
+            /** @var int $bytes */
             $bytes = RandomCompat_intval($bytes);
         } catch (TypeError $ex) {
             throw new TypeError(
@@ -103,7 +127,7 @@
          * if (empty($fp)) line is logic that should only be run once per
          * page load.
          */
-        if (!empty($fp)) {
+        if (is_resource($fp)) {
             /**
              * @var int
              */
@@ -123,29 +147,28 @@
                  */
                 $read = fread($fp, $remaining);
                 if (!is_string($read)) {
-                    if ($read === false) {
-                        /**
-                         * We cannot safely read from the file. Exit the
-                         * do-while loop and trigger the exception condition
-                         *
-                         * @var string|bool
-                         */
-                        $buf = false;
-                        break;
-                    }
+                    /**
+                     * We cannot safely read from the file. Exit the
+                     * do-while loop and trigger the exception condition
+                     *
+                     * @var string|bool
+                     */
+                    $buf = false;
+                    break;
                 }
                 /**
                  * Decrease the number of bytes returned from remaining
                  */
                 $remaining -= RandomCompat_strlen($read);
                 /**
-                 * @var string|bool
+                 * @var string $buf
                  */
-                $buf = $buf . $read;
+                $buf .= $read;
             } while ($remaining > 0);
 
             /**
              * Is our result valid?
+             * @var string|bool $buf
              */
             if (is_string($buf)) {
                 if (RandomCompat_strlen($buf) === $bytes) {