Hi Kazuo, On Mon, Jan 2, 2017 at 3:03 AM, Kazuo Oishi <ka...@o-ishi.jp> wrote:
> > I thought we must fix due to proposed PHPMailer bug fix patch. (See below > > for detail) Previous discussion went wrong because of compatibility > > misunderstanding. There is _no_ additional BC issue. Please keep in mind > > this. > ... > > Proposed patch for PHPMailer command injection issue: > > > > I found following code(patch) for PHPMailer security issue. > > https://core.trac.wordpress.org/attachment/ticket/37210/0001 > > -Upgrade-PHPMailer-from-5.2.14-to-5.2.19.patch > > > > 2086 * Create unique ID > > 2087 * @return string > > 2088 */ > > 2089 protected function generateId() { > > 2090 return md5(uniqid(time())); > > 2024 2091 } > > 2025 2092 > > 2026 2093 /** > > ……class PHPMailer > > 2034 2101 { > > 2035 2102 $body = ''; > > 2036 2103 //Create unique IDs and preset boundaries > > 2037 $this->uniqueid = md5(uniqid(time())); > > 2104 $this->uniqueid = $this->generateId(); > > 2038 2105 $this->boundary[1] = 'b1_' . $this->uniqueid; > > 2039 2106 $this->boundary[2] = 'b2_' . $this->uniqueid; > > 2040 2107 $this->boundary[3] = 'b3_' . $this->uniqueid; > > > > Although I never recommend such code, the ID is good enough for this > > specific usage. I think we should remove the goccha, "uniqid() is not > > unique". This code explains why. > > Obviously, this is not related to your patch. "we must fix due to > proposed PHPMailer bug fix patch" is "FUD". Behavior of uniqid without > $more_entropy=TRUE is not changed. > You misunderstand the mail. PHPMailer and uniqid() fix is unrelated, but uniqid() is misused proposed patch in obvious way. > > What's your intention? > The point we should learn from the code is, it is clear that users misunderstand how uniqid() works. You'll find number of such usages if you search net. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
