Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:61258 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97561 invoked from network); 15 Jul 2012 21:21:54 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Jul 2012 21:21:54 -0000 Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com Received: from [74.125.82.170] ([74.125.82.170:49324] helo=mail-we0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C1/70-20866-17433005 for ; Sun, 15 Jul 2012 17:21:54 -0400 Received: by weyr1 with SMTP id r1so3933941wey.29 for ; Sun, 15 Jul 2012 14:21:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=10nkoQns+n2XTy5Ss9G8bi8ljraGml/P3R01BHKlC4I=; b=OUGLr0f5UERHOTrWgOWv26hITR0cxRfnwrhzTahpHdajcPkaGxxOWB9gaUjq3cqOJh hJZ6LDEVjyROBZOln75Hw4nT9FvuyC1esuM7iKzeYAK73tEPpDrmzAxO5AzTbEXge/St 3qdvKRcW1B9qnYuYB/8b1ZxS4PtxKptsZ7841nYMb0zHzBFxrpYfC8KxIlpG9LPy5Ceu +cLE6Gdn9jWbohbmraVEvSmIQ7pkc/qIovpBW/UxLSEupO/3G3lvER8ojpmU0vm9tjZj YCuOexqNnhup79CY/GFO55GaqQFOEAQ6UoZJsLltz0/aN8d9USUvmRkDJtFouAjQavt/ hAbQ== Received: by 10.180.104.200 with SMTP id gg8mr13102148wib.14.1342387311007; Sun, 15 Jul 2012 14:21:51 -0700 (PDT) Received: from [192.168.1.26] (202.Red-83-32-8.dynamicIP.rima-tde.net. [83.32.8.202]) by mx.google.com with ESMTPS id el6sm18016389wib.8.2012.07.15.14.21.49 (version=SSLv3 cipher=OTHER); Sun, 15 Jul 2012 14:21:50 -0700 (PDT) Message-ID: <50033454.6080100@gmail.com> Date: Sun, 15 Jul 2012 23:21:24 +0200 User-Agent: Thunderbird MIME-Version: 1.0 To: internals References: <4FFFF84D.9070202@rotorised.com> <5000990F.30105@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) On 15/07/12 22:07, Alex Aulbach wrote: > 2012/7/14 Andrew Faulds : >> Well... if people have poorly configured servers spitting out debug >> info in production mode, I don't think it is our problem. It is >> theirs. > Do you want to make it secure or do you want to discuss? Seems Andrew mail didn't get to the list. Yes, production servers shouldn't be showing debug info. But we know that a large fraction of them do. As coder of a php application, I often can't set the configuration of the system where it will be installed. Sometimes not even the person installing it can set it correctly (eg. shared hostings), it can be changed under your foot (eg. an update, someone did so to debug a different application...) or even be set explicitely (I want my users to warn me when they see errors !). If spitting out errors prevented XHTML validation, I wouldn't care that much (obviously, the code shouldn't generate the warning to begin with, but it's not a big deal if users were briefly shown it). But we are talking about passwords and password hashes. Not something you want to risk exposing. Specially when we are trying to make a good interface to encourage secure handling of passwords. PS: Alex, your non-displayable exception would indeed work (although I would make it a class property).