Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87873 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 70401 invoked from network); 23 Aug 2015 00:50:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Aug 2015 00:50:07 -0000 Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.212.174 cause and error) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.212.174 mail-wi0-f174.google.com Received: from [209.85.212.174] ([209.85.212.174:35886] helo=mail-wi0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 26/02-51090-CB819D55 for ; Sat, 22 Aug 2015 20:50:04 -0400 Received: by wicja10 with SMTP id ja10so42626757wic.1 for ; Sat, 22 Aug 2015 17:50:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PCZmWhQdzPrFxw2euwdlLzgzuyflEAxBJCrlSc/2ae0=; b=dbmti0CE1uWROBD5zZS61TNDjO8aEB+9oJnpRe4T6xQhfwJx+2VH6tleupqRh/8dI4 q6lgI4y2UYPaWDhGN3AqVtfi8QEcv0z17W3M33u1Anqn4cfrktIRD5szg6Ask9UAMthp LIlO+/x7tahQF6eSVJbVUwhHe4GkrqjhHPQDxxNsFXXA5WLqOVBtJmBJsY6gN6qIwhkn W6dPxKpYTt2nQSEoiQJtClpe/2OgOQSbW1CN13/C/YwFsLgPlMOXFuFBe+WfvVvOUgkO 7Pi1sKdCijt2EQIk4sroE0emZhef8zrXk0WKc6hKtREZDV28rFKyX777Mhc1QBBLLenX jzQA== X-Gm-Message-State: ALoCoQntD/MaESEeBnyB8G/SuePJr2lFRi+nf+TxiRERFBLqjUAzhuYdFnGDOfkkb2vgoYsERZMF MIME-Version: 1.0 X-Received: by 10.180.100.74 with SMTP id ew10mr18553821wib.12.1440291001088; Sat, 22 Aug 2015 17:50:01 -0700 (PDT) Received: by 10.28.133.67 with HTTP; Sat, 22 Aug 2015 17:50:01 -0700 (PDT) In-Reply-To: <20150823003346.A6E6B2617DA@dd15934.kasserver.com> References: <20150823003346.A6E6B2617DA@dd15934.kasserver.com> Date: Sat, 22 Aug 2015 20:50:01 -0400 Message-ID: To: Thomas Bley Cc: PHP Internals , Anthony Ferrara Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] [Discuss] Random Functions Throwing Exceptions in PHP 7.0.0 From: scott@paragonie.com (Scott Arciszewski) On Sat, Aug 22, 2015 at 8:33 PM, Thomas Bley wrote: > Anthony Ferrara wrote on 22.08.2015 21:58: > >> All, >> >> I am putting a simple RFC up for discussion to make random_* throw >> exceptions on failure in order to ensure we fail-closed. >> >> https://wiki.php.net/rfc/random-function-exceptions >> >> Considering this topic has already been discussed, I intend to open >> voting on this as soon as allowable. Given the voting policy specifies >> 2 weeks for language changes and 1 week for another, this is assumed >> to require 1 week of "discussion". >> >> With that in mind, I intend to put this RFC up to vote on August 29/30th. >> >> Thanks! >> >> Anthony >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > Hi, > > I think there are a lot of security problems if people ignore return values, e.g. password comparison, user lookup in database, lookups for permissions, etc. > > Having false + E_WARNING highlighted in the documentation with a yellow box and the Caution title should be enough. > > For those who want exceptions can implement this in userland: > $rand = random_int(10,100); > if ($rand === false) { > throw new Exception('error ...'); > } > // or write a wrapper like random_int_exception(...). > > If people use this function without reading documentation, they will also use other things without documentation like database queries without binding/escaping, inject html without escaping, etc. > Having core functions suddenly throw exceptions causes many problems in the code structure. > > Regards > Thomas > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > Hi Thomas, Your proposal effectively blames the user if they get it wrong and burdens them with additional responsibilities. Increasing the cognitive load of PHP developers will not result in a net gain for the security of the applications they develop. I've made this argument elsewhere in the course of this discussion. Cryptography implementations should do everything reasonable to not blame the user, and cryptographic primitives should do everything reasonable to not blame the implementor. Read this: http://cr.yp.to/talks/2015.01.07/slides-djb-20150107-a4.pdf > If people use this function without reading documentation, they will also use other things without documentation like database queries without binding/escaping, inject html without escaping, etc. > Having core functions suddenly throw exceptions causes many problems in the code structure. Exceptions will only be thrown in exceptional circumstances: 1. If they're using shared hosting, and a malicious script triggers a file descriptor exhaustion condition on another hosting account (we're assuming great sandboxing between customers), an exception will be thrown rather than returning FALSE. 2. If the system is utterly incapable of generating random numbers. An exception must either be handled (try-catch), or it by default terminates script execution. This is the best of both worlds: 1. It fails closed. 2. It's easy to handle gracefully should the developer wish to do so. Designing a CSPRNG that will fail closed, without unavoidably killing their script (i.e. E_ERROR), will do far more to make PHP applications secure than telling people they should RTFM. Hackers have been saying RTFM since the ARPANET days, and yet most people still don't. It's a losing battle. Let's patch what we can with good design decisions. TL;DR - the path forward is Throwable. Whether it's an Error object or and Exception object (and when it throws which) is what's to be discussed and voted on. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises