View Issue Details

IDProjectCategoryView StatusLast Update
0018546phpList 3 applicationOtherpublic09-10-18 23:29
Reporterduncanc 
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionopen 
Product Version3.3.1 
Target Version3.3.5Fixed in Version 
Summary0018546: phplist fails silently when there is no implementation of random_bytes()
DescriptionThe code that finds an implementation of the random_bytes() function, when there are no options available, generates a function that just throws an exception.

This means that an exception is thrown on the first use of random_bytes() when no implementation is available. As phplist doesn't handle exceptions this means a generic 500 error is probably issued.

This problem was raised on the developers mailing list and in the user forum.

The phplist code should handle the exception generated by the fallback function and issue a meaningful message. Just failing silently is extremely unhelpful.
TagsNo tags attached.

Activities

michiel

22-02-17 20:13

manager   ~0058815

sounds like a job for the outdated-php-compatibility team

michiel

22-02-17 20:46

manager   ~0058816

There are several ways to make it work though:
https://github.com/phpList/phplist3/blob/master/public_html/lists/admin/inc/random_compat/random.php#L60

There won't be that many people left who use php<5.3 which means that the ones who do can work out a valid way to make it work

duncanc

22-02-17 20:52

developer   ~0058817

Last edited: 22-02-17 20:57

View 2 revisions

I think that you might be missing my point. Currently the code fails silently when there is no implementation of random_bytes(). That itself can be improved by handling the exception, then failing gracefully.

This isn't concerned with using php 5.4+, but with error handling. People who do have php 5.4+ have been affected by this problem. There was no mention of the requirement in the release notes.

Please see this topic on the user forums https://discuss.phplist.org/t/3-3-1-not-reachable-error-500/2565

michiel

22-02-17 21:02

manager   ~0058818

For 5.4 having mcrypt should be enough. I'm not sure we're listing that on our dependencies page.

michiel

22-02-17 21:05

manager   ~0058819

I guess instead of catching the exception, we can implement a final fallback for random_compat. Not great though, as it would cause insecurity.

duncanc

23-02-17 16:38

developer   ~0058822

I was thinking of only catching one exception early in index.php

require_once dirname(__FILE__).'/inc/random_compat/random.php';

try {
    random_bytes(1);
} catch (Exception $e) {
    die ('phpList requires a random_bytes function, see http://sdfdsf for more information');
}

suela

09-10-18 23:29

administrator   ~0061227

https://github.com/phpList/phplist3/pull/403