On 6/17/2016 7:18 PM, Christoph Becker wrote: > Consequently, we should remove rot13() as well, see > <http://news.php.net/php.notes/205744>. And we shouldn't stop there as > include(_once), require(_once), file_get_contents() and readfile() bear > the risk of file inclusion vulnerabilities … ;) > > In my opinion, our job when designing the language and the core > libraries is not to avoid (or remove) features that can be used to > produce insecure software, but rather to offer additional features that > make it easier to produce secure software, and to document potential > issues and hint at better alternatives. random_*() is such an addition, > and I don't see an urgent need to get rid of (mt_)rand(). >
Reminds me of https://github.com/rust-lang/rust/issues/32670 Again, our (mt_)rand() functions are not portable, not standards compliant, slow, outdated, and dangerous for crypto. There was not a single argument why we should keep them. Fixing = BC -- Richard "Fleshgrinder" Fussenegger
signature.asc
Description: OpenPGP digital signature
