Problem/Motivation
On windows without SSL enabled there is an PHP deprecation message:
Deprecated function: strlen(): Passing null to parameter #1 ($string) of type string is deprecated in drupal_random_bytes() (line 2351 of /includes/bootstrap.inc).
PHP: 8.1
Database: PostgreSQL 11 / MySQL 8 (problem is present regardless of database type)
Drupal: 7.91
The problem appears to be in this part, where $bytes
variable is going to the strlen()
function:
if (strlen($bytes) < $count) {
// Initialize on the first call. The contents of $_SERVER includes a mix of
// user-specific and system information that varies a little with each page.
Something similar was fixed in the drupal_random_bytes()
in #3241422: [PHP 8.1] Passing `null` to internal functions deprecation fixes, but this same usage of $bytes
variable was missed.
Steps to reproduce
Install Drupal 7 on windows and disable openssl.
Proposed resolution
Cast $bytes
to string as it was done few lines above.
$missing_bytes = $count - strlen((string) $bytes);
Comments
Comment #2
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedThis patch should fix the problem.
Comment #3
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedJust to clarify the problem little bit more. There are two ways to fill the
$bytes
in that code:1.
2.
Neither of these will run on windows without openssl, so the
$bytes
variable will be still empty on the line 2351.Comment #4
joseph.olstadDrupal 8.0.0 did something similar to D7.x in a method called randomBytes and they had also introduced randomBytesBase64
however Drupal 9.4.x they removed randomBytes and are only using randomBytesBase64 that was present in 8.0.0 also :
The above mentioned code for D8/D9 is found in
core/lib/Drupal/Component/Utility/Crypt.php
Comment #5
joseph.olstadrandomBytes() is deprecated in Drupal 8.8.0 and will be removed before Drupal 9.0.0. Use PHP\'s built-in random_bytes() function instead. See
https://drupal.org/node/3057191
hmm, so PHPs random_bytes function, maybe that exists in PHP 8.1, says to use that instead
Comment #6
joseph.olstadPHPs random_bytes was added in PHP 7.0
so it would be fairly easy to check the PHP version, return the result from random_bytes if the version of PHP is >=7.0 otherwise use the Drupal 7 code compatible with PHP 5.2, 5.3, 5.4, 5.5, 5.6
and put this logic inside drupal_random_bytes
Comment #7
joseph.olstadRTBC patch #2
it's the exact same strategy already used by D7.x core , see line number 2318 of
includes/bootstrap.inc
Comment #8
joseph.olstadsee previous changes made by @mcdruid
#3241422: [PHP 8.1] Passing `null` to internal functions deprecation fixes
I double down on RTBC
Comment #9
mcdruidYup, looks like we missed this one (that hopefully doesn't get used much!)
Thanks, ready for commit.
Comment #11
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedThanks everyone!