Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95970 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90584 invoked from network); 13 Sep 2016 03:08:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Sep 2016 03:08:46 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:39027] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 83/45-60695-BBD67D75 for ; Mon, 12 Sep 2016 23:08:45 -0400 Received: (qmail 91246 invoked by uid 89); 13 Sep 2016 03:08:39 -0000 Received: from unknown (HELO mail-qk0-f170.google.com) (yohgaki@ohgaki.net@209.85.220.170) by 0 with ESMTPA; 13 Sep 2016 03:08:39 -0000 Received: by mail-qk0-f170.google.com with SMTP id z190so152776668qkc.3 for ; Mon, 12 Sep 2016 20:08:39 -0700 (PDT) X-Gm-Message-State: AE9vXwOdAhtebOViD2RSzTtU0wQxiL5gb08CT2I5J982svnmZXQsCTUkCh3AvuoWB9u637PcpWODs8TJDSY+vA== X-Received: by 10.55.159.77 with SMTP id i74mr23456931qke.60.1473736113800; Mon, 12 Sep 2016 20:08:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.84.168 with HTTP; Mon, 12 Sep 2016 20:07:53 -0700 (PDT) In-Reply-To: References: <878tuxenl4.fsf@lil.giraffy.jp> <87twdlcs2j.fsf@lil.giraffy.jp> <87h99lch13.fsf@lil.giraffy.jp> <877fagczci.fsf@lil.giraffy.jp> Date: Tue, 13 Sep 2016 12:07:53 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Kazuo Oishi Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Improve uniqid() uniqueness From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Kazuo, On Tue, Sep 13, 2016 at 11:48 AM, Yasuo Ohgaki wrote: >> Current "more_entropy" part (10 bytes) pattern is "n.nnnnnnnn" and its >> variation is 10^9 (1 billion) as written in your RFC. (about 30bits?) >> >> I think it is enough to avoid collision in the same usec, for >> non-security purpose. > > Oops. Thank you for the correction :) I'll fix the RFC. Oops again. I wrote correctly in RFC. Typo was in mail. >> >>> How serious BC is? >> >> You should already know that this BC-breack breaks existing >> valid PHP codes in some situation. (DB error, test failure, etc.) >> >> BC-breack may be acceptable if the change is clearly greate improvement >> or obviously necessary. But this change is not, I think. > > I do think this is needed. > > Let's not please security audit companies. Use of current uniqid() in > security sensitive context is fatal because it is too easy to predict > generated ID even with "more_entropy". Letting make such mistake > moderate is worth the change. In short, making PHP be more secure platform (tolerant even for mistakes) matter to me. This BC is nothing compared to mt_rand() everywhere. Anyway, let's talk BC with real code. I didn't look into all, but only briefly. https://searchcode.com/?q=uniqid&loc=0&loc2=10000&lan=24 I could only find one code that tests uniqid() return value to test uniqid() (?) Other than that, almost all code does not care about uniqid() return value at all. Who cares about uniqid() return value? for what purpose? other than testing uniqid() itself? Even if some test code breaks, does it worth than making PHP be more secure platform? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net