Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97548 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14241 invoked from network); 7 Jan 2017 00:55:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Jan 2017 00:55:07 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:47948] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4D/2D-23307-66C30785 for ; Fri, 06 Jan 2017 19:55:04 -0500 Received: (qmail 38451 invoked by uid 89); 7 Jan 2017 00:54:58 -0000 Received: from unknown (HELO mail-wm0-f43.google.com) (yohgaki@ohgaki.net@74.125.82.43) by 0 with ESMTPA; 7 Jan 2017 00:54:58 -0000 Received: by mail-wm0-f43.google.com with SMTP id u144so9960262wmu.1 for ; Fri, 06 Jan 2017 16:54:57 -0800 (PST) X-Gm-Message-State: AIkVDXLdORMoqug9jrhu81hEDj9VIa1zdgutP5HTt1uR05Vs8eNc0yCCTyFp8SWumFfyaTXqcrASB5dzgfObRQ== X-Received: by 10.223.164.130 with SMTP id g2mr3078087wrb.84.1483750490749; Fri, 06 Jan 2017 16:54:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.195.12.8 with HTTP; Fri, 6 Jan 2017 16:54:10 -0800 (PST) In-Reply-To: <87y3yupshj.fsf@lil.giraffy.jp> References: <87y3yupshj.fsf@lil.giraffy.jp> Date: Sat, 7 Jan 2017 09:54:10 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Kazuo Oishi Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=f403045f24e0efc60405457694e6 Subject: Re: [PHP-DEV] Use decent entropy for uniqid($prefix, TRUE) From: yohgaki@ohgaki.net (Yasuo Ohgaki) --f403045f24e0efc60405457694e6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Kazuo, On Mon, Jan 2, 2017 at 3:03 AM, Kazuo Oishi wrote: > > I thought we must fix due to proposed PHPMailer bug fix patch. (See bel= ow > > for detail) Previous discussion went wrong because of compatibility > > misunderstanding. There is _no_ additional BC issue. Please keep in min= d > > this. > ... > > Proposed patch for PHPMailer command injection issue: > > > > I found following code(patch) for PHPMailer security issue. > > https://core.trac.wordpress.org/attachment/ticket/37210/0001 > > -Upgrade-PHPMailer-from-5.2.14-to-5.2.19.patch > > > > 2086 * Create unique ID > > 2087 * @return string > > 2088 */ > > 2089 protected function generateId() { > > 2090 return md5(uniqid(time())); > > 2024 2091 } > > 2025 2092 > > 2026 2093 /** > > =E2=80=A6=E2=80=A6class PHPMailer > > 2034 2101 { > > 2035 2102 $body =3D ''; > > 2036 2103 //Create unique IDs and preset boundaries > > 2037 $this->uniqueid =3D md5(uniqid(time())); > > 2104 $this->uniqueid =3D $this->generateId(); > > 2038 2105 $this->boundary[1] =3D 'b1_' . $this->uniqueid; > > 2039 2106 $this->boundary[2] =3D 'b2_' . $this->uniqueid; > > 2040 2107 $this->boundary[3] =3D 'b3_' . $this->uniqueid; > > > > Although I never recommend such code, the ID is good enough for this > > specific usage. I think we should remove the goccha, "uniqid() is not > > unique". This code explains why. > > Obviously, this is not related to your patch. "we must fix due to > proposed PHPMailer bug fix patch" is "FUD". Behavior of uniqid without > $more_entropy=3DTRUE is not changed. > You misunderstand the mail. PHPMailer and uniqid() fix is unrelated, but uniqid() is misused proposed patch in obvious way. > > What's your intention? > The point we should learn from the code is, it is clear that users misunderstand how uniqid() works. You'll find number of such usages if you search net. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --f403045f24e0efc60405457694e6--