Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix mcrypt_create_iv(..., MCRYPT_RAND) to auto-seed RNG
Summary: Without seeding the random number generator, we'll always get the same IV, and that reduces the security of this function. Fortunately, f_rand() has all of that logic for auto-seeding and selection of a suitable initial seed built-in. Realistically, using MCRYPT_RAND should be deprecated. I'm going to wait on PHP Internals to make a decision on https://wiki.php.net/rfc/deprecate_mcrypt_rand before adding that warning however, so that our test suite remains consistent. Credit: Theodore R. Smith of PHP Experts, Inc. <theodorephpexperts.pro> Closes #3496 Reviewed By: @ptarjan Differential Revision: D1502435
- Loading branch information
ab6fdebThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ab6fdebThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI, this fix has been assigned CVE-2014-5386