From: tstarling Operating system: PHP version: 5.4SVN-2012-03-15 (SVN) Package: Unknown/Other Function Bug Type: Feature/Change Request Bug description:Provide secure drop-in replacement for mt_rand()
Description: ------------ mt_rand() is insecure, but people keep using it for security-sensitive purposes anyway, because: * The interface is more familiar than functions that return binary strings, like openssl_random_pseudo_bytes() and mcrypt_create_iv(). Legacy code uses rand() or mt_rand(). * openssl_random_pseudo_bytes() and mcrypt_generate_iv() are not available on every platform, so mt_rand() is a simple alternative for a developer of distributed software. I propose adding a function to ext/standard which has the same parameters and return value type as mt_rand(), but uses a secure random source. In particular, I think the random number generation method used by mcrypt_generate_iv(..., MCRYPT_DEV_URANDOM) is most appropriate. It is fast and works on virtually every platform supported by PHP without external library dependencies. Like mcrypt_generate_iv(), the new function could raise a warning and return false if /dev/urandom cannot be opened. The application can then decide based on its security policies whether it wishes to fall back to mt_rand() or abort the transaction. The function could be called os_rand(), like Python's os.urandom(), or secure_rand() or rand_s(), like in the Windows CRT security extension. -- Edit bug report at https://bugs.php.net/bug.php?id=61394&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=61394&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=61394&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=61394&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=61394&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=61394&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=61394&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=61394&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=61394&r=needscript Try newer version: https://bugs.php.net/fix.php?id=61394&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=61394&r=support Expected behavior: https://bugs.php.net/fix.php?id=61394&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=61394&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=61394&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=61394&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=61394&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=61394&r=dst IIS Stability: https://bugs.php.net/fix.php?id=61394&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=61394&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=61394&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=61394&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=61394&r=mysqlcfg
