Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:98127 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7844 invoked from network); 2 Feb 2017 22:57:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2017 22:57:02 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:42514] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B2/70-51557-B39B3985 for ; Thu, 02 Feb 2017 17:57:02 -0500 Received: (qmail 74097 invoked by uid 89); 2 Feb 2017 22:56:56 -0000 Received: from unknown (HELO mail-qt0-f179.google.com) (yohgaki@ohgaki.net@209.85.216.179) by 0 with ESMTPA; 2 Feb 2017 22:56:56 -0000 Received: by mail-qt0-f179.google.com with SMTP id v23so5377642qtb.0 for ; Thu, 02 Feb 2017 14:56:55 -0800 (PST) X-Gm-Message-State: AIkVDXLPrX7G2JHnWjVph6mdBrkbpAdMM4OrtHG0GGCOtaVOR+2ktyEdTwF0sIRHXdbqkKA70m+Xj4oMmMuhjA== X-Received: by 10.55.75.143 with SMTP id y137mr10219397qka.39.1486076209812; Thu, 02 Feb 2017 14:56:49 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.19.232 with HTTP; Thu, 2 Feb 2017 14:56:09 -0800 (PST) In-Reply-To: <842237fd-7e2d-70b4-5e0b-754bcba1fcf8@gmx.de> References: <0D26A03B-6BEB-4730-8E4B-0F7D6835E683@thefsb.org> <8991137d8dd8ba915bcacd4fbc1fe88f@gmail.com> <1fa97f9f4d4c0866fb4b0f21fc68b068@gmail.com> <842237fd-7e2d-70b4-5e0b-754bcba1fcf8@gmx.de> Date: Fri, 3 Feb 2017 07:56:09 +0900 X-Gmail-Original-Message-ID: Message-ID: To: "Christoph M. Becker" Cc: =?UTF-8?Q?Lauri_Kentt=C3=A4?= , Tom Worster , "internals@lists.php.net" , Leigh , Nikita Popov Content-Type: multipart/alternative; boundary=001a114a8a5c9867290547941429 Subject: Re: [PHP-DEV] Re: Improving mt_rand() seed From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a114a8a5c9867290547941429 Content-Type: text/plain; charset=UTF-8 On Thu, Feb 2, 2017 at 10:24 PM, Christoph M. Becker wrote: > On 02.02.2017 at 12:51, Yasuo Ohgaki wrote: > > > Although users must never do this, but there are codes that generate > random > > password/access key by mt_rand(). > > There is also code that stores clear text passwords. How would you > prevent that? > > IMHO, if users don't care to read the docs[1], it's their fault, and we > shouldn't waste our time to fix their bugs. I totally agree. However, there are valid usage like a.php b.php This is unacceptable BC in PHP 7.1. For PHP 7.1, there must be rand() own state at least. This was discussed in other thread, "Reseeding rand()/mt_rand()". User and system seed should be separated and independent. Anyway, which code must be fixed, a.php or b.php in such case? Suppose you are drupal (or any apps) module developer and using mt_rand() that requires random values. Someone else wants to use static random sequence, which is rare usage compare to plain mt_rand() call w/o user seed, then suddenly your code became broken. IMO, a.php must be fixed. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a114a8a5c9867290547941429--