Last modified: 2014-06-23 16:07:07 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T57364, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 55364 - CryptRand.php
CryptRand.php
Status: RESOLVED DUPLICATE of bug 35894
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.21.x
All All
: Unprioritized critical (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-06 11:34 UTC by zdroid9770
Modified: 2014-06-23 16:07 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description zdroid9770 2013-10-06 11:34:53 UTC 
When trying to enter the Special:UserLogin page, this error will come up. This blocks from ANYONE from signing-in and signing-up

Fatal error: mcrypt_create_iv() [<a href='function.mcrypt-create-iv'>function.mcrypt-create-iv</a>]: Could not gather sufficient random data in D:\Hosting\11901580\html\wiki\includes\CryptRand.php on line 313
Comment 1 zdroid9770 2013-10-06 11:42:06 UTC 
I have solved this issue.


Locate the file includes/CryptRand.php.
Find the following line 313 (for me):

$iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM );

Change it to:

$iv = mcrypt_create_iv( $rem, MCRYPT_RAND );
Comment 2 Jesús Martínez Novo (Ciencia Al Poder) 2013-10-06 12:40:52 UTC 

*** This bug has been marked as a duplicate of bug 44142 ***
Comment 3 Jesús Martínez Novo (Ciencia Al Poder) 2013-10-06 12:58:33 UTC 

*** This bug has been marked as a duplicate of bug 35894 ***
Comment 4 Daniel Friesen 2013-10-06 13:10:25 UTC 
(In reply to comment #1)
> I have solved this issue.
> 
> 
> Locate the file includes/CryptRand.php.
> Find the following line 313 (for me):
> 
> $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM );
> 
> Change it to:
> 
> $iv = mcrypt_create_iv( $rem, MCRYPT_RAND );

Please DO NOT do this. MCRYPT_RAND uses rand() which is NOT cryptographically secure. By changing that value to MCRYPT_RAND you eliminate the entire security feature turning CryptRand into an insecure pesudo-random number generator and re-opening yourself up to security vulnerabilities.

You are much MUCH better off taking the line:

if ( function_exists( 'mcrypt_create_iv' ) ) {

And changing it to:

if ( false ) {

This will simply make CryptRand skip over attempting to use mcrypt_create_iv. If openssl_random_pseudo_bytes is available it'll use that. Otherwise it'll fallback to our clock-dift based random number generator. Which is STILL more cryptographically secure than MCRYPT_RAND.
Comment 5 zdroid9770 2013-10-06 13:21:28 UTC 
Yea I just realized that and quickly reverted my change. Thank you!
Comment 6 Daniel Friesen 2013-10-06 13:37:23 UTC 
Would you mind reporting what version of PHP and version and build of Windows you are using. This bug is actually very specific to certain environment, there are other situations where this code works perfectly fine on Windows.
Comment 7 zdroid9770 2013-10-06 13:41:42 UTC 
MediaWiki - 1.21.2
PHP - 5.3.6 (cgi-fcgi)
MySQL - 5.0.96-log

The build of windows is not very specific but the hosting provider is godaddy.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links