[wp-trac] [WordPress Trac] #59239: wp_generate_uuid4 collisions
WordPress Trac
noreply at wordpress.org
Wed Mar 18 23:41:11 UTC 2026
#59239: wp_generate_uuid4 collisions
--------------------------------------------+-----------------------
Reporter: joppuyo | Owner: jorbin
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 7.0
Component: General | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-testing commit | Focuses:
--------------------------------------------+-----------------------
Comment (by peterwilsoncc):
@siliconforks I don't think it's worth the additional logic.
The risk of collision with `mt_rand()` is present but very low. The
updated function will only ever fire if a third party developers calls it
somewhere between the mu-plugins includes and before the `plugins_loaded`
hook. Which itself is rare.
Running the following using the existing (collision prone) code about
tenish didn't result in any collisions.
{{{#!php
<?php
function gguid_collision_test() {
$gguids = array();
$count = 0;
$tries = 1000000;
for ( $i = 0; $i < $tries; $i++ ) {
$gguid = wp_generate_uuid4();
if ( isset( $gguids[ $gguid ] ) ) {
echo "Collision detected after $count tries.\n";
return;
}
$gguids[ $gguid ] = true;
$count++;
}
echo "No collisions detected after $count tries.\n";
}
echo '<pre>';
gguid_collision_test();
exit;
}}}
As this isn't using `mt_rand` for cryptographic purposes, I think it's
fine to use the KISS approach for a `low^2` probability.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59239#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list