UpdraftPlus WordPress Backup Plugin - Version 1.11.5

Version Description

  • 22/Aug/2015 =

  • FIX: phpseclib fix relating to generation of random numbers on some systems (affecting SFTP on some systems)

Download this release

Release Info

Developer DavidAnderson
Plugin Icon 128x128 UpdraftPlus WordPress Backup Plugin
Version 1.11.5
Comparing to
See all releases

Code changes from version 1.11.4 to 1.11.5

Files changed (3) hide show
  1. includes/phpseclib/Crypt/Random.php +237 -186
  2. readme.txt +6 -2
  3. updraftplus.php +1 -1
includes/phpseclib/Crypt/Random.php CHANGED
@@ -1,15 +1,17 @@
1
  <?php
2
- /* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */
3
 
4
  /**
5
  * Random Number Generator
6
  *
 
 
 
7
  * PHP versions 4 and 5
8
  *
9
  * Here's a short example of how to use this library:
10
  * <code>
11
  * <?php
12
- * include('Crypt/Random.php');
13
  *
14
  * echo bin2hex(crypt_random_string(8));
15
  * ?>
@@ -21,10 +23,10 @@
21
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
22
  * copies of the Software, and to permit persons to whom the Software is
23
  * furnished to do so, subject to the following conditions:
24
- *
25
  * The above copyright notice and this permission notice shall be included in
26
  * all copies or substantial portions of the Software.
27
- *
28
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
29
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
30
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
@@ -33,186 +35,213 @@
33
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
34
  * THE SOFTWARE.
35
  *
36
- * @category Crypt
37
- * @package Crypt_Random
38
- * @author Jim Wigginton <terrafrost@php.net>
39
- * @copyright MMVII Jim Wigginton
40
- * @license http://www.opensource.org/licenses/mit-license.html MIT License
41
- * @link http://phpseclib.sourceforge.net
42
  */
43
 
44
- /**
45
- * "Is Windows" test
46
- *
47
- * @access private
48
- */
49
- define('CRYPT_RANDOM_IS_WINDOWS', strtoupper(substr(PHP_OS, 0, 3)) === 'WIN');
 
 
 
 
50
 
51
- /**
52
- * Generate a random string.
53
- *
54
- * Although microoptimizations are generally discouraged as they impair readability this function is ripe with
55
- * microoptimizations because this function has the potential of being called a huge number of times.
56
- * eg. for RSA key generation.
57
- *
58
- * @param Integer $length
59
- * @return String
60
- * @access public
61
- */
62
- function crypt_random_string($length)
63
- {
64
- if (CRYPT_RANDOM_IS_WINDOWS) {
65
- // method 1. prior to PHP 5.3 this would call rand() on windows hence the function_exists('class_alias') call.
66
- // ie. class_alias is a function that was introduced in PHP 5.3
67
- if (function_exists('mcrypt_create_iv') && function_exists('class_alias')) {
68
- return mcrypt_create_iv($length);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
69
  }
70
- // method 2. openssl_random_pseudo_bytes was introduced in PHP 5.3.0 but prior to PHP 5.3.4 there was,
71
- // to quote <http://php.net/ChangeLog-5.php#5.3.4>, "possible blocking behavior". as of 5.3.4
72
- // openssl_random_pseudo_bytes and mcrypt_create_iv do the exact same thing on Windows. ie. they both
73
- // call php_win32_get_random_bytes():
74
- //
75
- // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/openssl/openssl.c#L5008
76
- // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1392
77
- //
78
- // php_win32_get_random_bytes() is defined thusly:
79
- //
80
- // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/win32/winutil.c#L80
81
  //
82
- // we're calling it, all the same, in the off chance that the mcrypt extension is not available
83
- if (function_exists('openssl_random_pseudo_bytes') && version_compare(PHP_VERSION, '5.3.4', '>=')) {
84
- return openssl_random_pseudo_bytes($length);
85
- }
86
- } else {
87
- // method 1. the fastest
88
- if (function_exists('openssl_random_pseudo_bytes')) {
89
- return openssl_random_pseudo_bytes($length);
90
- }
91
- // method 2
92
- static $fp = true;
93
- if ($fp === true) {
94
- // warning's will be output unles the error suppression operator is used. errors such as
95
- // "open_basedir restriction in effect", "Permission denied", "No such file or directory", etc.
96
- $fp = @fopen('/dev/urandom', 'rb');
97
- }
98
- if ($fp !== true && $fp !== false) { // surprisingly faster than !is_bool() or is_resource()
99
- return fread($fp, $length);
100
- }
101
- // method 3. pretty much does the same thing as method 2 per the following url:
102
- // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1391
103
- // surprisingly slower than method 2. maybe that's because mcrypt_create_iv does a bunch of error checking that we're
104
- // not doing. regardless, this'll only be called if this PHP script couldn't open /dev/urandom due to open_basedir
105
- // restrictions or some such
106
- if (function_exists('mcrypt_create_iv')) {
107
- return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
108
- }
109
- }
110
- // at this point we have no choice but to use a pure-PHP CSPRNG
111
-
112
- // cascade entropy across multiple PHP instances by fixing the session and collecting all
113
- // environmental variables, including the previous session data and the current session
114
- // data.
115
- //
116
- // mt_rand seeds itself by looking at the PID and the time, both of which are (relatively)
117
- // easy to guess at. linux uses mouse clicks, keyboard timings, etc, as entropy sources, but
118
- // PHP isn't low level to be able to use those as sources and on a web server there's not likely
119
- // going to be a ton of keyboard or mouse action. web servers do have one thing that we can use
120
- // however. a ton of people visiting the website. obviously you don't want to base your seeding
121
- // soley on parameters a potential attacker sends but (1) not everything in $_SERVER is controlled
122
- // by the user and (2) this isn't just looking at the data sent by the current user - it's based
123
- // on the data sent by all users. one user requests the page and a hash of their info is saved.
124
- // another user visits the page and the serialization of their data is utilized along with the
125
- // server envirnment stuff and a hash of the previous http request data (which itself utilizes
126
- // a hash of the session data before that). certainly an attacker should be assumed to have
127
- // full control over his own http requests. he, however, is not going to have control over
128
- // everyone's http requests.
129
- static $crypto = false, $v;
130
- if ($crypto === false) {
131
- // save old session data
132
- $old_session_id = session_id();
133
- $old_use_cookies = ini_get('session.use_cookies');
134
- $old_session_cache_limiter = session_cache_limiter();
135
- if (isset($_SESSION)) {
136
- $_OLD_SESSION = $_SESSION;
137
- }
138
- if ($old_session_id != '') {
139
- session_write_close();
140
- }
141
 
142
- session_id(1);
143
- ini_set('session.use_cookies', 0);
144
- session_cache_limiter('');
145
- session_start();
146
-
147
- $v = $seed = $_SESSION['seed'] = pack('H*', sha1(
148
- serialize($_SERVER) .
149
- serialize($_POST) .
150
- serialize($_GET) .
151
- serialize($_COOKIE) .
152
- serialize($GLOBALS) .
153
- serialize($_SESSION) .
154
- serialize($_OLD_SESSION)
155
- ));
156
- if (!isset($_SESSION['count'])) {
157
- $_SESSION['count'] = 0;
158
- }
159
- $_SESSION['count']++;
160
 
161
- session_write_close();
 
 
 
 
 
 
 
 
 
 
 
 
162
 
163
- // restore old session data
164
- if ($old_session_id != '') {
165
- session_id($old_session_id);
166
- session_start();
167
- ini_set('session.use_cookies', $old_use_cookies);
168
- session_cache_limiter($old_session_cache_limiter);
169
- } else {
170
- if (isset($_OLD_SESSION)) {
171
- $_SESSION = $_OLD_SESSION;
172
- unset($_OLD_SESSION);
173
  } else {
174
- unset($_SESSION);
 
 
 
 
 
175
  }
176
- }
177
 
178
- // in SSH2 a shared secret and an exchange hash are generated through the key exchange process.
179
- // the IV client to server is the hash of that "nonce" with the letter A and for the encryption key it's the letter C.
180
- // if the hash doesn't produce enough a key or an IV that's long enough concat successive hashes of the
181
- // original hash and the current hash. we'll be emulating that. for more info see the following URL:
182
- //
183
- // http://tools.ietf.org/html/rfc4253#section-7.2
184
- //
185
- // see the is_string($crypto) part for an example of how to expand the keys
186
- $key = pack('H*', sha1($seed . 'A'));
187
- $iv = pack('H*', sha1($seed . 'C'));
188
 
189
- // ciphers are used as per the nist.gov link below. also, see this link:
190
- //
191
- // http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator#Designs_based_on_cryptographic_primitives
192
- switch (true) {
193
- case class_exists('Crypt_AES'):
194
- $crypto = new Crypt_AES(CRYPT_AES_MODE_CTR);
195
- break;
196
- case class_exists('Crypt_TripleDES'):
197
- $crypto = new Crypt_TripleDES(CRYPT_DES_MODE_CTR);
198
- break;
199
- case class_exists('Crypt_DES'):
200
- $crypto = new Crypt_DES(CRYPT_DES_MODE_CTR);
201
- break;
202
- case class_exists('Crypt_RC4'):
203
- $crypto = new Crypt_RC4();
204
- break;
205
- default:
206
- $crypto = $seed;
207
- return crypt_random_string($length);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
208
  }
209
 
210
- $crypto->setKey($key);
211
- $crypto->setIV($iv);
212
- $crypto->enableContinuousBuffer();
213
- }
214
 
215
- if (is_string($crypto)) {
216
  // the following is based off of ANSI X9.31:
217
  //
218
  // http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
@@ -221,29 +250,51 @@ function crypt_random_string($length)
221
  //
222
  // http://www.opensource.apple.com/source/OpenSSL/OpenSSL-38/openssl/fips-1.0/rand/fips_rand.c
223
  // (do a search for "ANS X9.31 A.2.4")
224
- //
225
- // ANSI X9.31 recommends ciphers be used and phpseclib does use them if they're available (see
226
- // later on in the code) but if they're not we'll use sha1
227
  $result = '';
228
- while (strlen($result) < $length) { // each loop adds 20 bytes
229
- // microtime() isn't packed as "densely" as it could be but then neither is that the idea.
230
- // the idea is simply to ensure that each "block" has a unique element to it.
231
- $i = pack('H*', sha1(microtime()));
232
- $r = pack('H*', sha1($i ^ $v));
233
- $v = pack('H*', sha1($r ^ $i));
234
  $result.= $r;
235
  }
236
  return substr($result, 0, $length);
237
  }
 
238
 
239
- //return $crypto->encrypt(str_repeat("\0", $length));
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
240
 
241
- $result = '';
242
- while (strlen($result) < $length) {
243
- $i = $crypto->encrypt(microtime());
244
- $r = $crypto->encrypt($i ^ $v);
245
- $v = $crypto->encrypt($r ^ $i);
246
- $result.= $r;
247
  }
248
- return substr($result, 0, $length);
249
  }
1
  <?php
 
2
 
3
  /**
4
  * Random Number Generator
5
  *
6
+ * The idea behind this function is that it can be easily replaced with your own crypt_random_string()
7
+ * function. eg. maybe you have a better source of entropy for creating the initial states or whatever.
8
+ *
9
  * PHP versions 4 and 5
10
  *
11
  * Here's a short example of how to use this library:
12
  * <code>
13
  * <?php
14
+ * include 'Crypt/Random.php';
15
  *
16
  * echo bin2hex(crypt_random_string(8));
17
  * ?>
23
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
24
  * copies of the Software, and to permit persons to whom the Software is
25
  * furnished to do so, subject to the following conditions:
26
+ *
27
  * The above copyright notice and this permission notice shall be included in
28
  * all copies or substantial portions of the Software.
29
+ *
30
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
31
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
32
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
36
  * THE SOFTWARE.
37
  *
38
+ * @category Crypt
39
+ * @package Crypt_Random
40
+ * @author Jim Wigginton <terrafrost@php.net>
41
+ * @copyright 2007 Jim Wigginton
42
+ * @license http://www.opensource.org/licenses/mit-license.html MIT License
43
+ * @link http://phpseclib.sourceforge.net
44
  */
45
 
46
+ // laravel is a PHP framework that utilizes phpseclib. laravel workbenches may, independently,
47
+ // have phpseclib as a requirement as well. if you're developing such a program you may encounter
48
+ // a "Cannot redeclare crypt_random_string()" error.
49
+ if (!function_exists('crypt_random_string')) {
50
+ /**
51
+ * "Is Windows" test
52
+ *
53
+ * @access private
54
+ */
55
+ define('CRYPT_RANDOM_IS_WINDOWS', strtoupper(substr(PHP_OS, 0, 3)) === 'WIN');
56
 
57
+ /**
58
+ * Generate a random string.
59
+ *
60
+ * Although microoptimizations are generally discouraged as they impair readability this function is ripe with
61
+ * microoptimizations because this function has the potential of being called a huge number of times.
62
+ * eg. for RSA key generation.
63
+ *
64
+ * @param Integer $length
65
+ * @return String
66
+ * @access public
67
+ */
68
+ function crypt_random_string($length)
69
+ {
70
+ if (CRYPT_RANDOM_IS_WINDOWS) {
71
+ // method 1. prior to PHP 5.3 this would call rand() on windows hence the function_exists('class_alias') call.
72
+ // ie. class_alias is a function that was introduced in PHP 5.3
73
+ if (function_exists('mcrypt_create_iv') && function_exists('class_alias')) {
74
+ return mcrypt_create_iv($length);
75
+ }
76
+ // method 2. openssl_random_pseudo_bytes was introduced in PHP 5.3.0 but prior to PHP 5.3.4 there was,
77
+ // to quote <http://php.net/ChangeLog-5.php#5.3.4>, "possible blocking behavior". as of 5.3.4
78
+ // openssl_random_pseudo_bytes and mcrypt_create_iv do the exact same thing on Windows. ie. they both
79
+ // call php_win32_get_random_bytes():
80
+ //
81
+ // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/openssl/openssl.c#L5008
82
+ // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1392
83
+ //
84
+ // php_win32_get_random_bytes() is defined thusly:
85
+ //
86
+ // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/win32/winutil.c#L80
87
+ //
88
+ // we're calling it, all the same, in the off chance that the mcrypt extension is not available
89
+ if (function_exists('openssl_random_pseudo_bytes') && version_compare(PHP_VERSION, '5.3.4', '>=')) {
90
+ return openssl_random_pseudo_bytes($length);
91
+ }
92
+ } else {
93
+ // method 1. the fastest
94
+ if (function_exists('openssl_random_pseudo_bytes')) {
95
+ return openssl_random_pseudo_bytes($length);
96
+ }
97
+ // method 2
98
+ static $fp = true;
99
+ if ($fp === true) {
100
+ // warning's will be output unles the error suppression operator is used. errors such as
101
+ // "open_basedir restriction in effect", "Permission denied", "No such file or directory", etc.
102
+ $fp = @fopen('/dev/urandom', 'rb');
103
+ }
104
+ if ($fp !== true && $fp !== false) { // surprisingly faster than !is_bool() or is_resource()
105
+ return fread($fp, $length);
106
+ }
107
+ // method 3. pretty much does the same thing as method 2 per the following url:
108
+ // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1391
109
+ // surprisingly slower than method 2. maybe that's because mcrypt_create_iv does a bunch of error checking that we're
110
+ // not doing. regardless, this'll only be called if this PHP script couldn't open /dev/urandom due to open_basedir
111
+ // restrictions or some such
112
+ if (function_exists('mcrypt_create_iv')) {
113
+ return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
114
+ }
115
  }
116
+ // at this point we have no choice but to use a pure-PHP CSPRNG
117
+
118
+ // cascade entropy across multiple PHP instances by fixing the session and collecting all
119
+ // environmental variables, including the previous session data and the current session
120
+ // data.
 
 
 
 
 
 
121
  //
122
+ // mt_rand seeds itself by looking at the PID and the time, both of which are (relatively)
123
+ // easy to guess at. linux uses mouse clicks, keyboard timings, etc, as entropy sources, but
124
+ // PHP isn't low level to be able to use those as sources and on a web server there's not likely
125
+ // going to be a ton of keyboard or mouse action. web servers do have one thing that we can use
126
+ // however, a ton of people visiting the website. obviously you don't want to base your seeding
127
+ // soley on parameters a potential attacker sends but (1) not everything in $_SERVER is controlled
128
+ // by the user and (2) this isn't just looking at the data sent by the current user - it's based
129
+ // on the data sent by all users. one user requests the page and a hash of their info is saved.
130
+ // another user visits the page and the serialization of their data is utilized along with the
131
+ // server envirnment stuff and a hash of the previous http request data (which itself utilizes
132
+ // a hash of the session data before that). certainly an attacker should be assumed to have
133
+ // full control over his own http requests. he, however, is not going to have control over
134
+ // everyone's http requests.
135
+ static $crypto = false, $v;
136
+ if ($crypto === false) {
137
+ // save old session data
138
+ $old_session_id = session_id();
139
+ $old_use_cookies = ini_get('session.use_cookies');
140
+ $old_session_cache_limiter = session_cache_limiter();
141
+ $_OLD_SESSION = isset($_SESSION) ? $_SESSION : false;
142
+ if ($old_session_id != '') {
143
+ session_write_close();
144
+ }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
145
 
146
+ session_id(1);
147
+ ini_set('session.use_cookies', 0);
148
+ session_cache_limiter('');
149
+ session_start();
 
 
 
 
 
 
 
 
 
 
 
 
 
 
150
 
151
+ $v = $seed = $_SESSION['seed'] = pack('H*', sha1(
152
+ serialize($_SERVER) .
153
+ serialize($_POST) .
154
+ serialize($_GET) .
155
+ serialize($_COOKIE) .
156
+ serialize($GLOBALS) .
157
+ serialize($_SESSION) .
158
+ serialize($_OLD_SESSION)
159
+ ));
160
+ if (!isset($_SESSION['count'])) {
161
+ $_SESSION['count'] = 0;
162
+ }
163
+ $_SESSION['count']++;
164
 
165
+ session_write_close();
166
+
167
+ // restore old session data
168
+ if ($old_session_id != '') {
169
+ session_id($old_session_id);
170
+ session_start();
171
+ ini_set('session.use_cookies', $old_use_cookies);
172
+ session_cache_limiter($old_session_cache_limiter);
 
 
173
  } else {
174
+ if ($_OLD_SESSION !== false) {
175
+ $_SESSION = $_OLD_SESSION;
176
+ unset($_OLD_SESSION);
177
+ } else {
178
+ unset($_SESSION);
179
+ }
180
  }
 
181
 
182
+ // in SSH2 a shared secret and an exchange hash are generated through the key exchange process.
183
+ // the IV client to server is the hash of that "nonce" with the letter A and for the encryption key it's the letter C.
184
+ // if the hash doesn't produce enough a key or an IV that's long enough concat successive hashes of the
185
+ // original hash and the current hash. we'll be emulating that. for more info see the following URL:
186
+ //
187
+ // http://tools.ietf.org/html/rfc4253#section-7.2
188
+ //
189
+ // see the is_string($crypto) part for an example of how to expand the keys
190
+ $key = pack('H*', sha1($seed . 'A'));
191
+ $iv = pack('H*', sha1($seed . 'C'));
192
 
193
+ // ciphers are used as per the nist.gov link below. also, see this link:
194
+ //
195
+ // http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator#Designs_based_on_cryptographic_primitives
196
+ switch (true) {
197
+ case phpseclib_resolve_include_path('Crypt/AES.php'):
198
+ if (!class_exists('Crypt_AES')) {
199
+ include_once 'AES.php';
200
+ }
201
+ $crypto = new Crypt_AES(CRYPT_AES_MODE_CTR);
202
+ break;
203
+ case phpseclib_resolve_include_path('Crypt/Twofish.php'):
204
+ if (!class_exists('Crypt_Twofish')) {
205
+ include_once 'Twofish.php';
206
+ }
207
+ $crypto = new Crypt_Twofish(CRYPT_TWOFISH_MODE_CTR);
208
+ break;
209
+ case phpseclib_resolve_include_path('Crypt/Blowfish.php'):
210
+ if (!class_exists('Crypt_Blowfish')) {
211
+ include_once 'Blowfish.php';
212
+ }
213
+ $crypto = new Crypt_Blowfish(CRYPT_BLOWFISH_MODE_CTR);
214
+ break;
215
+ case phpseclib_resolve_include_path('Crypt/TripleDES.php'):
216
+ if (!class_exists('Crypt_TripleDES')) {
217
+ include_once 'TripleDES.php';
218
+ }
219
+ $crypto = new Crypt_TripleDES(CRYPT_DES_MODE_CTR);
220
+ break;
221
+ case phpseclib_resolve_include_path('Crypt/DES.php'):
222
+ if (!class_exists('Crypt_DES')) {
223
+ include_once 'DES.php';
224
+ }
225
+ $crypto = new Crypt_DES(CRYPT_DES_MODE_CTR);
226
+ break;
227
+ case phpseclib_resolve_include_path('Crypt/RC4.php'):
228
+ if (!class_exists('Crypt_RC4')) {
229
+ include_once 'RC4.php';
230
+ }
231
+ $crypto = new Crypt_RC4();
232
+ break;
233
+ default:
234
+ user_error('crypt_random_string requires at least one symmetric cipher be loaded');
235
+ return false;
236
+ }
237
+
238
+ $crypto->setKey($key);
239
+ $crypto->setIV($iv);
240
+ $crypto->enableContinuousBuffer();
241
  }
242
 
243
+ //return $crypto->encrypt(str_repeat("\0", $length));
 
 
 
244
 
 
245
  // the following is based off of ANSI X9.31:
246
  //
247
  // http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
250
  //
251
  // http://www.opensource.apple.com/source/OpenSSL/OpenSSL-38/openssl/fips-1.0/rand/fips_rand.c
252
  // (do a search for "ANS X9.31 A.2.4")
 
 
 
253
  $result = '';
254
+ while (strlen($result) < $length) {
255
+ $i = $crypto->encrypt(microtime()); // strlen(microtime()) == 21
256
+ $r = $crypto->encrypt($i ^ $v); // strlen($v) == 20
257
+ $v = $crypto->encrypt($r ^ $i); // strlen($r) == 20
 
 
258
  $result.= $r;
259
  }
260
  return substr($result, 0, $length);
261
  }
262
+ }
263
 
264
+ if (!function_exists('phpseclib_resolve_include_path')) {
265
+ /**
266
+ * Resolve filename against the include path.
267
+ *
268
+ * Wrapper around stream_resolve_include_path() (which was introduced in
269
+ * PHP 5.3.2) with fallback implementation for earlier PHP versions.
270
+ *
271
+ * @param string $filename
272
+ * @return mixed Filename (string) on success, false otherwise.
273
+ * @access public
274
+ */
275
+ function phpseclib_resolve_include_path($filename)
276
+ {
277
+ if (function_exists('stream_resolve_include_path')) {
278
+ return stream_resolve_include_path($filename);
279
+ }
280
+
281
+ // handle non-relative paths
282
+ if (file_exists($filename)) {
283
+ return realpath($filename);
284
+ }
285
+
286
+ $paths = PATH_SEPARATOR == ':' ?
287
+ preg_split('#(?<!phar):#', get_include_path()) :
288
+ explode(PATH_SEPARATOR, get_include_path());
289
+ foreach ($paths as $prefix) {
290
+ // path's specified in include_path don't always end in /
291
+ $ds = substr($prefix, -1) == DIRECTORY_SEPARATOR ? '' : DIRECTORY_SEPARATOR;
292
+ $file = $prefix . $ds . $filename;
293
+ if (file_exists($file)) {
294
+ return realpath($file);
295
+ }
296
+ }
297
 
298
+ return false;
 
 
 
 
 
299
  }
 
300
  }
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: Backup with UpdraftPlus, DavidAnderson
3
  Tags: backup, backups, restore, amazon backup, s3 backup, dropbox backup, google drive backup, rackspace cloud files, rackspace backup, dreamhost, dreamobjects backup, ftp backup, webdav backup, google cloud storage, onedrive, microsoft one drive, back up, multisite, restoration, sftp backup, ftps, scp backup, migrate, duplicate, copy, mysql backup, database backup, db backups, website backup, wordpress backup, full backup, openstack backup, sicherung
4
  Requires at least: 3.2
5
  Tested up to: 4.3
6
- Stable tag: 1.11.4
7
  Author URI: https://updraftplus.com
8
  Donate link: http://david.dw-perspective.org.uk/donate
9
  License: GPLv3 or later
@@ -120,6 +120,10 @@ The <a href="https://updraftplus.com/news/">UpdraftPlus backup blog</a> is the b
120
 
121
  N.B. Paid versions of UpdraftPlus Backup / Restore have a version number which is 1 higher in the first digit, and has an extra component on the end, but the changelog below still applies. i.e. changes listed for 1.11.4 of the free version correspond to changes made in 2.11.4.x of the paid version.
122
 
 
 
 
 
123
  = 1.11.4 - 19/Aug/2015 =
124
 
125
  * FIX: Perform previously missing tweak on the database after restoring a multisite backup to an install with a different table prefix, which inhibited the ability to create new users on the main site in a network.
@@ -1617,4 +1621,4 @@ We recognise and thank the following for code and/or libraries used and/or modif
1617
 
1618
 
1619
  == Upgrade Notice ==
1620
- * 1.11.4 : Small tweaks and fixes.
3
  Tags: backup, backups, restore, amazon backup, s3 backup, dropbox backup, google drive backup, rackspace cloud files, rackspace backup, dreamhost, dreamobjects backup, ftp backup, webdav backup, google cloud storage, onedrive, microsoft one drive, back up, multisite, restoration, sftp backup, ftps, scp backup, migrate, duplicate, copy, mysql backup, database backup, db backups, website backup, wordpress backup, full backup, openstack backup, sicherung
4
  Requires at least: 3.2
5
  Tested up to: 4.3
6
+ Stable tag: 1.11.5
7
  Author URI: https://updraftplus.com
8
  Donate link: http://david.dw-perspective.org.uk/donate
9
  License: GPLv3 or later
120
 
121
  N.B. Paid versions of UpdraftPlus Backup / Restore have a version number which is 1 higher in the first digit, and has an extra component on the end, but the changelog below still applies. i.e. changes listed for 1.11.4 of the free version correspond to changes made in 2.11.4.x of the paid version.
122
 
123
+ = 1.11.5 - 22/Aug/2015 =
124
+
125
+ * FIX: phpseclib fix relating to generation of random numbers on some systems (affecting SFTP on some systems)
126
+
127
  = 1.11.4 - 19/Aug/2015 =
128
 
129
  * FIX: Perform previously missing tweak on the database after restoring a multisite backup to an install with a different table prefix, which inhibited the ability to create new users on the main site in a network.
1621
 
1622
 
1623
  == Upgrade Notice ==
1624
+ * 1.11.5 : Random number generation was halting on some systems due to phpseclib issue in 1.11.4
updraftplus.php CHANGED
@@ -4,7 +4,7 @@ Plugin Name: UpdraftPlus - Backup/Restore
4
  Plugin URI: https://updraftplus.com
5
  Description: Backup and restore: take backups locally, or backup to Amazon S3, Dropbox, Google Drive, Rackspace, (S)FTP, WebDAV & email, on automatic schedules.
6
  Author: UpdraftPlus.Com, DavidAnderson
7
- Version: 1.11.4
8
  Donate link: http://david.dw-perspective.org.uk/donate
9
  License: GPLv3 or later
10
  Text Domain: updraftplus
4
  Plugin URI: https://updraftplus.com
5
  Description: Backup and restore: take backups locally, or backup to Amazon S3, Dropbox, Google Drive, Rackspace, (S)FTP, WebDAV & email, on automatic schedules.
6
  Author: UpdraftPlus.Com, DavidAnderson
7
+ Version: 1.11.5
8
  Donate link: http://david.dw-perspective.org.uk/donate
9
  License: GPLv3 or later
10
  Text Domain: updraftplus