Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70859 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 16468 invoked from network); 23 Dec 2013 11:04:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Dec 2013 11:04:34 -0000 Authentication-Results: pb1.pair.com header.from=ocramius@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ocramius@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.178 as permitted sender) X-PHP-List-Original-Sender: ocramius@gmail.com X-Host-Fingerprint: 209.85.216.178 mail-qc0-f178.google.com Received: from [209.85.216.178] ([209.85.216.178:62874] helo=mail-qc0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 46/07-08405-1C818B25 for ; Mon, 23 Dec 2013 06:04:34 -0500 Received: by mail-qc0-f178.google.com with SMTP id i17so4668012qcy.23 for ; Mon, 23 Dec 2013 03:04:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=JWcyM8ThJY23TPsfAxqV8ODCxSUZsQ+6B+bO4yupFrM=; b=OPuXieMQUFdt4QFYBnGBS56dkBp5gPP1NEGTRBYo+ra68vRh5Vb/HweNtojgDpungj UgtPLT8DVJMb5cuPEs37Edi0UrExVgI5emx6DhAEVM17lZIocHD25BvHpMjtMBS1fR1+ fbH1hSC4bn140Rr+0Gf9MAmpT5ULG3Fig3V694RE4/w+YIlQt1yx+Safir69CSinjgVH Vn8jkVOy+JIqrhMrq3Kvo4ar6Scyhbuqud+4i1F4ANAn/YIuv6WrbDf5Ivoq8M6EeUSH BENwSdpaBCgQh4MhAbzf+Je+GHKsuBBS/Mvyte0rj2hliqrZCXsHgHCGTOecmY9vgRLd h4QA== X-Received: by 10.224.123.15 with SMTP id n15mr29834511qar.78.1387796671275; Mon, 23 Dec 2013 03:04:31 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.85.149 with HTTP; Mon, 23 Dec 2013 03:04:10 -0800 (PST) In-Reply-To: <52B81559.8080409@php.net> References: <3014595E-B155-47F6-AC7B-71083D89525D@rouvenwessling.de> <52B80C5B.2050208@sugarcrm.com> <6C0AE2F4-26DA-4081-914A-F6D18C46911C@rouvenwessling.de> <52B81559.8080409@php.net> Date: Mon, 23 Dec 2013 12:04:10 +0100 Message-ID: To: Joe Watkins Cc: PHP Internals List , =?UTF-8?Q?Rouven_We=C3=9Fling?= Content-Type: multipart/alternative; boundary=089e0149cf809ca9d304ee319719 Subject: Re: [PHP-DEV] [RFC] Timing attack safe string comparison function From: ocramius@gmail.com (Marco Pivetta) --089e0149cf809ca9d304ee319719 Content-Type: text/plain; charset=UTF-8 Heya, I was discussing about this RFC with Joe in Room 11 (where we keep him away from society, for the greater good). I was wondering why such an API must be implemented in PHP core (which means C, which means that the usual 15~20 people can fix it if borked, which is bad) and cannot be just left in userland as it already happens, for example, with https://github.com/zendframework/zf2/blob/master/library/Zend/Crypt/Utils.php#L17-L44and similar libraries that have some decent security policies themselves (nothing to say about PHP - you guys are doing great!). Why do we need this in core? Why can't a user copy-paste those rows (if it's a monkey-patcher) or just use a library? I don't trust PHP coders in general, so I'm pretty sure that the example I've posted before @ https://gist.github.com/Ocramius/8094168 is quite obscure to the 99.9% of PHP developers. Who has been doing it wrong will continue going on and not caring. Those who are aware of the dangers and do care are most probably already using these kinds of checks vie an imported library. So what is pushing towards yet another function in here? Don't get me wrong: I am all for security, but I don't see a difference between a php-core implementation and a userland implementation. Cheers, Marco Pivetta http://twitter.com/Ocramius http://ocramius.github.com/ --089e0149cf809ca9d304ee319719--