On 2 Feb 2017, at 8:24, Christoph M. Becker wrote:
On 02.02.2017 at 12:51, Yasuo Ohgaki wrote:
Although users must never do this, but there are codes that generate
random
password/access key by mt_rand().
There is also code that stores clear text passwords. How would you
prevent that?
IMHO, if users don't care to read the docs[1], it's their fault, and
we
shouldn't waste our time to fix their bugs.
[1] <http://php.net/manual/en/function.mt-rand.php>
We cannot fix these bugs without making mt_rand a CSPRNG, which means it
is no longer mt_rand.
All we can do is mitigate the problem (to some unknowable extent) by
seeding mt_rand from php_random_bytes. I don't care if we do this or not
so long as the change is simple and BC, i.e. 32-bit seed that falls back
to something else if php_random_bytes fails.
Tom
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php