Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94087 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 80213 invoked from network); 17 Jun 2016 17:18:29 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jun 2016 17:18:29 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.21 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.17.21 mout.gmx.net Received: from [212.227.17.21] ([212.227.17.21:52561] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 48/7A-18862-2E034675 for ; Fri, 17 Jun 2016 13:18:27 -0400 Received: from [192.168.2.102] ([217.82.228.97]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0M3zG2-1bWJVU1mvy-00rbgn; Fri, 17 Jun 2016 19:18:22 +0200 To: internals@lists.php.net, Pierre Joye References: <1ee34970-76f4-e6c6-df1e-a827e3fc592d@fleshgrinder.com> <25bb59bb-d9ac-5ab3-f0bb-d80e6b3fe745@fleshgrinder.com> <55ceae84-5e24-96b4-bb0f-bd8c71c057ef@fleshgrinder.com> <6d6c121e-bdd4-c6d8-b376-71ba25455a30@fleshgrinder.com> <1726fd34-8c3c-0af8-ab97-630cbbf13772@fleshgrinder.com> Cc: Niklas Keller Message-ID: Date: Fri, 17 Jun 2016 19:18:43 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <1726fd34-8c3c-0af8-ab97-630cbbf13772@fleshgrinder.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K0:EO7a0C7Jtriod1W/GKTYAYmRRIkmElvtBXwAS5c95+yIm7ig68G 2oC13DPGZGstMe67zQxUjyOgci2Yr4/x89Lj1mK4iKKfWsqkWpMYvxM0fMJzdLqNO5OKpPV Jr+CaEjdI4Mq8iRrs8XkzeTQ9FaujRy6lRNOraGtNOvVXiwXvM5D4Ln7Zc/oU5jeWXQkffi 8Qo9YhhHCtByWC2ezONVQ== X-UI-Out-Filterresults: notjunk:1;V01:K0:Doyjk5I+BPE=:TSawcYNON4CTzji41UnRF7 Dzifgbw4s5MLyXvMw6cfajTBB8Eh1tFfyG/rhD6yxUL6Ty5EbZVOfoXuo05WXLUkM3yRtu59I ocdFaNPZE4xS4xD2a2zfRboiA4PGhv6t3XDQ0s+Nqdf9CNo+ps2r7FTJgM2Q1yg7BIiU6+w8E 6LERZui0V74NCD0XFZzLAQXcqLs0DLhAH0Sv1nyUsDsqTq/Wa8Bnm2KSjcoWKEpZ0sbn71sQO UdMJwdPeoQ4qS+Ctc8e7MHsa3gtUgu+IBvovHNHpvMHdAft89Ijq7CTO51BjrAzHvYKA6lINx e39xK1BgkDM+cnd7b2q5P58rGN1KMETD6OqRobkk5ihnnA3XDbTXGkKNQcgP+wjP5qmqyfqBl NvXUj2GWnHoSGRMKUgOknjmkJvjqpOZ9qDz9Y9gaSYih0xtBqdz961elDBsS8c3sHVBbCuSFe XzlkiAxo9eTTAcPOIIErFOTwKJaHwtPoo0DxVDsNYeJ2b/9r1vI//0SbgJTHedFTJn94FqE9N UjhZRki480/IJMBBkNka85G8Ko1BDgtVJ2ogwqNEzQCWHnYnNmRpxAKhQ6Pwn+hsTepio6RuC 06Pi1coi/qRA0vnT/u1A544FajwoT0KseA03r2ojkbw5VIg94Gyt89XRIDUGltscOXsADqs6K g83O3/7ZuuAZjJOfNComTQe9lunhoo/Q0xYMXacAQXOCEVcM57baJ4v+8T6xL0nd21RxowfJH ny/MTA3qj4ywSCuUtrmFsO+618xVJT7kaGdGQ7OG9kjsj9g/35+2mpVwwKCJgBBuMnOphQfeo fdKjR/n Subject: Re: [PHP-DEV] [RFC] RNG fixes From: cmbecker69@gmx.de (Christoph Becker) On 16.06.2016 at 20:55, Fleshgrinder wrote: > Education is a hard problem that the whole world is struggling with. We > will never achieve it. We will especially not achieve convincing people > of legacy software to change. Heck, we cannot even convince anyone here > to change legacy stuff. Hence, if rand and friends stay, they will > continue to help people to produce insecure software. Consequently, we should remove rot13() as well, see . And we shouldn't stop there as include(_once), require(_once), file_get_contents() and readfile() bear the risk of file inclusion vulnerabilities … ;) In my opinion, our job when designing the language and the core libraries is not to avoid (or remove) features that can be used to produce insecure software, but rather to offer additional features that make it easier to produce secure software, and to document potential issues and hint at better alternatives. random_*() is such an addition, and I don't see an urgent need to get rid of (mt_)rand(). -- Christoph M. Becker