Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94122 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29567 invoked from network); 19 Jun 2016 15:50:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jun 2016 15:50:59 -0000 Authentication-Results: pb1.pair.com header.from=php@fleshgrinder.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=php@fleshgrinder.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain fleshgrinder.com from 212.232.28.122 cause and error) X-PHP-List-Original-Sender: php@fleshgrinder.com X-Host-Fingerprint: 212.232.28.122 mx201.easyname.com Received: from [212.232.28.122] ([212.232.28.122:35847] helo=mx203.easyname.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 95/BB-18862-06FB6675 for ; Sun, 19 Jun 2016 11:50:58 -0400 Received: from cable-81-173-134-219.netcologne.de ([81.173.134.219] helo=[192.168.178.20]) by mx.easyname.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1bEezf-0005KH-Sn; Sun, 19 Jun 2016 15:50:40 +0000 Reply-To: internals@lists.php.net References: <1ee34970-76f4-e6c6-df1e-a827e3fc592d@fleshgrinder.com> <25bb59bb-d9ac-5ab3-f0bb-d80e6b3fe745@fleshgrinder.com> <55ceae84-5e24-96b4-bb0f-bd8c71c057ef@fleshgrinder.com> <6d6c121e-bdd4-c6d8-b376-71ba25455a30@fleshgrinder.com> <1726fd34-8c3c-0af8-ab97-630cbbf13772@fleshgrinder.com> To: Christoph Becker , internals@lists.php.net, Pierre Joye Cc: Niklas Keller Message-ID: <49fb7830-b186-523a-696c-39e251738bdb@fleshgrinder.com> Date: Sun, 19 Jun 2016 17:50:34 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="eKECfHrMokDNR2QDQKFwUxQagrmEAHixB" X-ACL-Warn: X-DNSBL-BARRACUDACENTRAL Subject: Re: [PHP-DEV] [RFC] RNG fixes From: php@fleshgrinder.com (Fleshgrinder) --eKECfHrMokDNR2QDQKFwUxQagrmEAHixB Content-Type: multipart/mixed; boundary="15CIuR9J3eAX1Kx2nDke7KnS99t8XEs7V" From: Fleshgrinder Reply-To: internals@lists.php.net To: Christoph Becker , internals@lists.php.net, Pierre Joye Cc: Niklas Keller Message-ID: <49fb7830-b186-523a-696c-39e251738bdb@fleshgrinder.com> Subject: Re: [PHP-DEV] [RFC] RNG fixes References: <1ee34970-76f4-e6c6-df1e-a827e3fc592d@fleshgrinder.com> <25bb59bb-d9ac-5ab3-f0bb-d80e6b3fe745@fleshgrinder.com> <55ceae84-5e24-96b4-bb0f-bd8c71c057ef@fleshgrinder.com> <6d6c121e-bdd4-c6d8-b376-71ba25455a30@fleshgrinder.com> <1726fd34-8c3c-0af8-ab97-630cbbf13772@fleshgrinder.com> In-Reply-To: --15CIuR9J3eAX1Kx2nDke7KnS99t8XEs7V Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 6/17/2016 7:18 PM, Christoph Becker wrote: > Consequently, we should remove rot13() as well, see > . And we shouldn't stop there as= > include(_once), require(_once), file_get_contents() and readfile() bear= > the risk of file inclusion vulnerabilities =E2=80=A6 ;) >=20 > In my opinion, our job when designing the language and the core > libraries is not to avoid (or remove) features that can be used to > produce insecure software, but rather to offer additional features that= > make it easier to produce secure software, and to document potential > issues and hint at better alternatives. random_*() is such an addition= , > and I don't see an urgent need to get rid of (mt_)rand(). >=20 Reminds me of https://github.com/rust-lang/rust/issues/32670 Again, our (mt_)rand() functions are not portable, not standards compliant, slow, outdated, and dangerous for crypto. There was not a single argument why we should keep them. Fixing =3D BC --=20 Richard "Fleshgrinder" Fussenegger --15CIuR9J3eAX1Kx2nDke7KnS99t8XEs7V-- --eKECfHrMokDNR2QDQKFwUxQagrmEAHixB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXZr9ZAAoJEOKkKcqFPVVrbmgP/1b4Xvk+5h1Uy9jTyu0Uc4rI OxPx7p7WC5xOwTwuY0f3jwu3+6ylnKwcyLumfN0UToDZTyuXfoCfw/QxT2tUXFVg lhf546rILGFpI6Lx9lLCeWDhVs/TzOkfyjDEc0o//axA5X9BCmTO6uVxsOhJ9wQU Z4OWNaT09sAUXnfZ40Bf8L2+1P63qdf6rO7V0FkPEYZYfDUzG/WN1DvrgS2t0Hs2 gxbvDUAJGJLrqupfw0CHWSSgw5kdC7o2kMBVcx15RFuGo05uGbWuN0SxdyYOAMgI YeYyURfSJGjhTUoto3StAw39R9FGWRm7jazZU2R+/Z/85hvx8J/XzA454E7qYwUM o/iMulZ7FssQoVrapJGBtYdEAa7zD71uCUJGtU2V2DVpVCoiLENoPIoBasc9HbCf OUiMbdsnFiLtgAZ96y4w1+iIGrDRC8fOJLyVOO40wMRXB7AKWvw77SnT2pVGp9/4 Bxg5z6cAsacNohMpz2SEKXjsjsIuM+4430S1gYopqBmVFlYw//xZK5uRe3Cxn3wJ p2jJJGwQhNRFTRu/g+vqaSY+ggtFxS/taByE/B0ZfTkT/O7c9aKZDy1IMALkPTlK GR39w2gCLFiKrt93Y2KQj5MLo0Tyl+kO7NJPgybZedIjyb3uVAOuTQdnCUxdpDcq 9ESOXBOCPAPMzW31S+rd =ZKOn -----END PGP SIGNATURE----- --eKECfHrMokDNR2QDQKFwUxQagrmEAHixB--