[wp-trac] [WordPress Trac] #35970: Compat random_int issue with hanging mcrypt iv generator when urandom unreadable
WordPress Trac
noreply at wordpress.org
Fri Feb 26 22:38:07 UTC 2016
#35970: Compat random_int issue with hanging mcrypt iv generator when urandom
unreadable
--------------------------+-----------------------------
Reporter: phil1984 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.4.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
I noticed that after upgrading to the latest wordpress, I can no longer
login. This is arguably a server configuration problem, but in my opinion
it could be handled better in the wordpress compat code.
When /dev/urandom is not in the open_basedir it is not readable by PHP.
When the random_bytes compat runs, it selects the mcrypt option. This
causes the line
mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM);
to hang at 100% CPU with DSO php, probably because mcrypt is waiting for
the random bytes that never come. Since mcrypt depends on reading from
/dev/urandom it shouldn't be selected as a fallback in
random_compat/random.php
In fact, if /dev/urandom is not readable it may cause problems with the
other compat fallbacks like openssl.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35970>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list