Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87173 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70187 invoked from network); 14 Jul 2015 21:10:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Jul 2015 21:10:59 -0000 Authentication-Results: pb1.pair.com header.from=dean.eigenmann@icloud.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=dean.eigenmann@icloud.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain icloud.com designates 17.158.42.246 as permitted sender) X-PHP-List-Original-Sender: dean.eigenmann@icloud.com X-Host-Fingerprint: 17.158.42.246 nk11p07mm-asmtpout001.mac.com Solaris 10 1203 Received: from [17.158.42.246] ([17.158.42.246:36951] helo=nk11p07mm-asmtp001.mac.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7B/90-64110-1EA75A55 for ; Tue, 14 Jul 2015 17:10:57 -0400 Received: from [192.168.1.28] (84-74-19-136.dclient.hispeed.ch [84.74.19.136]) by nk11p07mm-asmtp001.mac.com (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Mar 31 2015)) with ESMTPSA id <0NRH00D92XHUH610@nk11p07mm-asmtp001.mac.com> for internals@lists.php.net; Tue, 14 Jul 2015 21:10:45 +0000 (GMT) Content-type: text/plain; charset=us-ascii MIME-version: 1.0 (Mac OS X Mail 8.2 \(2098\)) In-reply-to: Date: Tue, 14 Jul 2015 23:10:41 +0200 Cc: PHP Internals Content-transfer-encoding: quoted-printable Message-ID: <1179E626-A5F9-483E-9088-096C4FC46214@icloud.com> References: To: Sammy Kaye Powers X-Mailer: Apple Mail (2.2098) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151,1.0.33,0.0.0000 definitions=2015-07-14_10:2015-07-14,2015-07-14,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1412110000 definitions=main-1507140305 Subject: Re: [PHP-DEV] Core functions throwing exceptions in PHP7 From: dean.eigenmann@icloud.com (Dean Eigenmann) Would a PHP Error not work in this case? Or would the error then be = interpreted as the result? > On 14 Jul 2015, at 23:04, Sammy Kaye Powers wrote: >=20 > Hello lovely PHP nerds, >=20 > There are two open PR's for PHP7 to modify the behavior of the = CSPRNG's: >=20 > https://github.com/php/php-src/pull/1397 (main discussion) > https://github.com/php/php-src/pull/1398 >=20 > Currently the random_*() functions will issue a warning and return = false if > a good source of random cannot be found. This is a potential security = hole > in the event the RNG fails and returns false which gets evaluated as 0 = in a > cryptographic context. >=20 > To prevent this exploit the proposed behavior will throw an Exception = when > the RNG fails or certain argument validation fails. This also gives = the > developer a graceful way to fall back to an alternate CSPRNG. >=20 > Since the core functions in PHP don't throw Exceptions, there is = debate on > whether or not this change should be implemented. Some say the = CSPRNG's > should get a special pass since they will be relied on for = cryptography. If > we can't throw Exceptions, there were suggestions of raising a fatal = error > if the RNG fails. >=20 > I think the argument can be boiled down to consistency vs security. = We'd > love to hear your feedback to decide what we should do in this = context. :) >=20 > Thanks, > Sammy Kaye Powers > sammyk.me >=20 > Chicago, IL 60604