Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87888 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92356 invoked from network); 24 Aug 2015 02:37:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Aug 2015 02:37:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.212.179 cause and error) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.212.179 mail-wi0-f179.google.com Received: from [209.85.212.179] ([209.85.212.179:34258] helo=mail-wi0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5E/F0-20433-4838AD55 for ; Sun, 23 Aug 2015 22:37:57 -0400 Received: by widdq5 with SMTP id dq5so36501754wid.1 for ; Sun, 23 Aug 2015 19:37:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+MSfpWNx6fD9PPSfBml40afp2Yn+OXlg6q84I2gM3aw=; b=NDSnxDI0rBguPWIBtA9Ur3m0HrBo9ONqZrc9WsSVhOBfBS5XopzMvG5/30Qr7Ekmbv Uf4/Ax65F8a7/MmH7j1ycvbEjGrgUiCJAZk/D6NamAVpaS95t8bBxe1UX72lBb1j18G5 VsUGELEJcKTY+GKaDpqhGXnoxWb4xJr8j20UEvzQTy1vQccNLYYv9+cBnoIMZrdfWESK Vd9aNsKCwz4sxCHntj6QZlnHlSYDSNCEpBIusECM4GS5r/+XQhoYIosTaLNIU/wn+AvS pnhC/8pBjgyHwg9o94zJCDJcGPHPOH6/NdrS7q7YosPtztseW9is2J8cXESpDaJ4p6Iz AC1A== X-Gm-Message-State: ALoCoQmo6X4Ah0HD9/skE+0xydPU3XTxqDLJEummgz6Gan4UUV4cFvPAJbMJcLyt2CiMueps+U2/ MIME-Version: 1.0 X-Received: by 10.180.103.69 with SMTP id fu5mr24400230wib.95.1440383873190; Sun, 23 Aug 2015 19:37:53 -0700 (PDT) Received: by 10.28.133.67 with HTTP; Sun, 23 Aug 2015 19:37:53 -0700 (PDT) In-Reply-To: <20150824023028.8B95326028B@dd15934.kasserver.com> References: <20150823153705.F0BDD26052F@dd15934.kasserver.com> <092B2991-5D96-48E2-882D-ABF9DAAC3AC3@gmail.com> <20150824023028.8B95326028B@dd15934.kasserver.com> Date: Sun, 23 Aug 2015 22:37:53 -0400 Message-ID: To: Thomas Bley Cc: PHP Internals , inefedor@gmail.com Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] [Discuss] Random Functions Throwing Exceptions in PHP 7.0.0 From: scott@paragonie.com (Scott Arciszewski) On Sun, Aug 23, 2015 at 10:30 PM, Thomas Bley wrote: > > > > Nikita Nefedov wrote on 23.08.2015 18:27: > > > > > > >> On 23 Aug 2015, at 18:37, Thomas Bley wrote: > >> > >> > >> consider this code: > >> > >> declare(strict_types=0); > >> ini_set('display_errors', '1'); > >> > >> function get_random_int(): int { > >> return false; > >> } > >> echo get_random_int(); > >> > >> and then use strict_types=1 > > > > So you're implying that in case of returning false with strict_types turned on > > that would just throw a TypeError? That would be a bug in PHP. If you were > > saying that in this case it should throw a different kind of error (the one > > that was proposed by Anthony initially) then it wouldn't make sense again > > because then you're creating a straight relation between having strict_types > > mode turned on and random_int() throwing exception about not getting a reliable > > source of entropy. > > > > > >> Even correct return values of random_int() might create bad passwords. > >> So I propose to have a function in core which tests the strength of the > >> password: > >> > >> $password = ''; > >> for ($i = 0; $i < 10; $i++) { > >> $password .= $characters[random_int(0, 30)]; > >> } > >> if (password_strength($password) < PHP_PASSWORD_STRONG) { > >> throw new Exception("password not strong enough"); > >> } > > > > I don't think it's a good idea, a language delivers features that user would > > have a hard time implementing themselves, a small blocks from which you can > > build whatever you want. A function that checks if a string contains > > alpha-numeric symbols as well as punctuation is pretty easy to implement in > > user land. > > If it would be so easy to implement this function, there would be no problems with weak passwords in PHP software. > You can also implement fopen('/dev/urandom','rb') in userland without having random_int(). > > Regards > Thomas > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > Hi Thomas, There is no /dev/urandom on the Windows operating system, so that system is not universal. I invite you to look at random_compat and see the effort that has gone into writing a congruent feature using only PHP 5 features. https://github.com/paragonie/random_compat Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises