Bug #24440
closed
Improve the used random generators on *nix platforms
0%
Description
t3lib_div::generateRandomBytes() tries to access /dev/urandom and if it fails, it plays itself with randomness.
For windows operating systems, besids COM, also mcrypt_create_iv() and openssl_random_pseudo_bytes() are checked for availability.
In case of a restrictive open_basedir setting, this causes TYPO3 to decrease performance by not using builtin functions.
The code block should IMHO just be moved out of the } elseif (TYPO3_OS == 'WIN') { clause.
(issue imported from #M16874)
Updated by Steffen Gebert almost 14 years ago
An interesting comment in the PHP bug tracker regarding our code:
http://bugs.php.net/bug.php?id=52523#1280851875
<em>About the patch in typo3, this code is wrong. They use urandom on non windows platform, then try alternatives on windows only.
Problem is that they first try COM (very slow), then try with mcrypt_create_iv and overwrite COM output (regardless if it worked well or not). MCrypt also always exists on windows with 5.3+, no need to test it (statically compiled). The openssl code won't be used either (never reached this condition).
However even if the openssl code was used, its logic is wrong. It considers non strong (not crypto safe) output as invalid. But urandom is not crypto safe anyway. They should test for the openssl function in the 1st place then use fopen('urandom') and finally mcrypt and other options. Much better/clean</em>
Updated by