[MediaWiki-CodeReview] [MediaWiki r114233]: New comment added
"Dantman" posted a comment on MediaWiki.r114233. URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/114233#c32383 Commit summary for MediaWiki.r114233: Commit the cryptrand project worked on in git: - MWCryptRand: A new api for generating cryptographic randomness for security tokens. Uses whatever cryptographic source is available and if not falls back to using random state and clock drift. - wfRandomString - A simple non-cryptographic pesudo-random string generation function to replace wfGenerateToken which was written pretending to be secure when it's really not. - Core updates to use MWCryptRand in various places: -- user_token generation (to do this we stop generating user_token implicitly and only generate it when needed to avoid depleting the system's entropy pool by reading random data we'll never use) -- email confirmation token generation -- password salt generation -- temporary password generation -- Generation of the automatic watchlist token -- login and create user tokens -- session ids when php's entropy sources are not set -- the installer when generating wgSecretKey and the upgrade key Dantman's comment: WTF. I test, and test, and test these changes... and still I miss stuff when I'm asked to refactor code. ___ MediaWiki-CodeReview mailing list mediawiki-coderev...@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
[MediaWiki-CodeReview] [MediaWiki r114233]: New comment added
"Reedy" posted a comment on MediaWiki.r114233.
URL: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/114233#c32381
Commit summary for MediaWiki.r114233:
Commit the cryptrand project worked on in git:
- MWCryptRand: A new api for generating cryptographic randomness for security
tokens. Uses whatever cryptographic source is available and if not falls back
to using random state and clock drift.
- wfRandomString - A simple non-cryptographic pesudo-random string generation
function to replace wfGenerateToken which was written pretending to be secure
when it's really not.
- Core updates to use MWCryptRand in various places:
-- user_token generation (to do this we stop generating user_token implicitly
and only generate it when needed to avoid depleting the system's entropy pool
by reading random data we'll never use)
-- email confirmation token generation
-- password salt generation
-- temporary password generation
-- Generation of the automatic watchlist token
-- login and create user tokens
-- session ids when php's entropy sources are not set
-- the installer when generating wgSecretKey and the upgrade key
Reedy's comment:
seeing on trunk:
Notice: A non well formed numeric value encountered in
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php on line 390
Call Stack:
0.0003 651296 1. {main}()
/home/reedy/mediawiki/trunk/phase3/index.php:0
0.2429 15999288 2. MediaWiki->run()
/home/reedy/mediawiki/trunk/phase3/index.php:58
0.2430 15999288 3. MediaWiki->main()
/home/reedy/mediawiki/trunk/phase3/includes/Wiki.php:502
1.2842 39032608 4. MediaWiki->finalCleanup()
/home/reedy/mediawiki/trunk/phase3/includes/Wiki.php:593
1.2843 39032688 5. OutputPage->output()
/home/reedy/mediawiki/trunk/phase3/includes/Wiki.php:405
1.2938 39721992 6. SkinTemplate->outputPage()
/home/reedy/mediawiki/trunk/phase3/includes/OutputPage.php:1982
1.4869 41792816 7. SkinTemplate->buildContentNavigationUrls()
/home/reedy/mediawiki/trunk/phase3/includes/SkinTemplate.php:451
1.5072 41931248 8. WatchAction::getWatchToken()
/home/reedy/mediawiki/trunk/phase3/includes/SkinTemplate.php:969
1.5072 41931936 9. User->getEditToken()
/home/reedy/mediawiki/trunk/phase3/includes/actions/WatchAction.php:122
1.5090 42101528 10. MWCryptRand::generateHex()
/home/reedy/mediawiki/trunk/phase3/includes/User.php:3182
1.5090 42102312 11. MWCryptRand->realGenerateHex()
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php:473
1.5090 42102392 12. MWCryptRand::generate()
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php:408
1.5091 42102392 13. MWCryptRand->realGenerate()
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php:456
1.5104 42103960 14. substr()
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php:390
Notice: A non well formed numeric value encountered in
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php on line 391
Call Stack:
0.0003 651296 1. {main}()
/home/reedy/mediawiki/trunk/phase3/index.php:0
0.2429 15999288 2. MediaWiki->run()
/home/reedy/mediawiki/trunk/phase3/index.php:58
0.2430 15999288 3. MediaWiki->main()
/home/reedy/mediawiki/trunk/phase3/includes/Wiki.php:502
1.2842 39032608 4. MediaWiki->finalCleanup()
/home/reedy/mediawiki/trunk/phase3/includes/Wiki.php:593
1.2843 39032688 5. OutputPage->output()
/home/reedy/mediawiki/trunk/phase3/includes/Wiki.php:405
1.2938 39721992 6. SkinTemplate->outputPage()
/home/reedy/mediawiki/trunk/phase3/includes/OutputPage.php:1982
1.4869 41792816 7. SkinTemplate->buildContentNavigationUrls()
/home/reedy/mediawiki/trunk/phase3/includes/SkinTemplate.php:451
1.5072 41931248 8. WatchAction::getWatchToken()
/home/reedy/mediawiki/trunk/phase3/includes/SkinTemplate.php:969
1.5072 41931936 9. User->getEditToken()
/home/reedy/mediawiki/trunk/phase3/includes/actions/WatchAction.php:122
1.5090 42101528 10. MWCryptRand::generateHex()
/home/reedy/mediawiki/trunk/phase3/includes/User.php:3182
1.5090 42102312 11. MWCryptRand->realGenerateHex()
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php:473
1.5090 42102392 12. MWCryptRand::generate()
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php:408
1.5091 42102392 13. MWCryptRand->realGenerate()
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php:456
1.5108 42104032 14. substr()
/home/reedy/mediawiki/trunk/phase3/includes/CryptRand.php:391
___
MediaWiki-CodeReview mailing list
mediawiki-coderev...@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
