Mercurial > hg > cmmr2012-drupal-site
diff vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php @ 4:a9cd425dd02b
Update, including to Drupal core 8.6.10
| author | Chris Cannam |
|---|---|
| date | Thu, 28 Feb 2019 13:11:55 +0000 |
| parents | 5311817fb629 |
| children |
line wrap: on
line diff
--- a/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php Thu Feb 28 11:14:44 2019 +0000 +++ b/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php Thu Feb 28 13:11:55 2019 +0000 @@ -1,22 +1,22 @@ <?php /** - * Random_* Compatibility Library + * Random_* Compatibility Library * for using the new PHP 7 random_* API in PHP 5 projects - * + * * The MIT License (MIT) * * Copyright (c) 2015 - 2018 Paragon Initiative Enterprises - * + * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: - * + * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. - * + * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE @@ -36,6 +36,7 @@ * random numbers in accordance with best practices * * Why we use /dev/urandom and not /dev/random + * @ref https://www.2uo.de/myths-about-urandom * @ref http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers * * @param int $bytes @@ -54,17 +55,35 @@ */ if (empty($fp)) { /** - * We use /dev/urandom if it is a char device. - * We never fall back to /dev/random + * We don't want to ever read C:\dev\random, only /dev/urandom on + * Unix-like operating systems. While we guard against this + * condition in random.php, it doesn't hurt to be defensive in depth + * here. + * + * To that end, we only try to open /dev/urandom if we're on a Unix- + * like operating system (which means the directory separator is set + * to "/" not "\". */ - /** @var resource|bool $fp */ - $fp = fopen('/dev/urandom', 'rb'); - if (is_resource($fp)) { - /** @var array<string, int> $st */ - $st = fstat($fp); - if (($st['mode'] & 0170000) !== 020000) { - fclose($fp); - $fp = false; + if (DIRECTORY_SEPARATOR === '/') { + if (!is_readable('/dev/urandom')) { + throw new Exception( + 'Environment misconfiguration: ' . + '/dev/urandom cannot be read.' + ); + } + /** + * We use /dev/urandom if it is a char device. + * We never fall back to /dev/random + */ + /** @var resource|bool $fp */ + $fp = fopen('/dev/urandom', 'rb'); + if (is_resource($fp)) { + /** @var array<string, int> $st */ + $st = fstat($fp); + if (($st['mode'] & 0170000) !== 020000) { + fclose($fp); + $fp = false; + } } } @@ -128,29 +147,28 @@ */ $read = fread($fp, $remaining); if (!is_string($read)) { - if ($read === false) { - /** - * We cannot safely read from the file. Exit the - * do-while loop and trigger the exception condition - * - * @var string|bool - */ - $buf = false; - break; - } + /** + * We cannot safely read from the file. Exit the + * do-while loop and trigger the exception condition + * + * @var string|bool + */ + $buf = false; + break; } /** * Decrease the number of bytes returned from remaining */ $remaining -= RandomCompat_strlen($read); /** - * @var string|bool + * @var string $buf */ - $buf = $buf . $read; + $buf .= $read; } while ($remaining > 0); /** * Is our result valid? + * @var string|bool $buf */ if (is_string($buf)) { if (RandomCompat_strlen($buf) === $bytes) {