https://bugzilla.wikimedia.org/show_bug.cgi?id=55364
Daniel Friesen <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mediawiki-bugs@nadir-seen-f | |ire.com --- Comment #4 from Daniel Friesen <[email protected]> --- (In reply to comment #1) > I have solved this issue. > > > Locate the file includes/CryptRand.php. > Find the following line 313 (for me): > > $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM ); > > Change it to: > > $iv = mcrypt_create_iv( $rem, MCRYPT_RAND ); Please DO NOT do this. MCRYPT_RAND uses rand() which is NOT cryptographically secure. By changing that value to MCRYPT_RAND you eliminate the entire security feature turning CryptRand into an insecure pesudo-random number generator and re-opening yourself up to security vulnerabilities. You are much MUCH better off taking the line: if ( function_exists( 'mcrypt_create_iv' ) ) { And changing it to: if ( false ) { This will simply make CryptRand skip over attempting to use mcrypt_create_iv. If openssl_random_pseudo_bytes is available it'll use that. Otherwise it'll fallback to our clock-dift based random number generator. Which is STILL more cryptographically secure than MCRYPT_RAND. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
