request #15060 Ban usage of non crypto secure/user-space RNG

Infos

Artifact ID#15060

Submitted byThomas Gerbet (tgerbet)

Last Modified On2020-07-03 10:30

Submitted on2020-07-02 18:27

Rank16330

Details

Summary *

Ban usage of non crypto secure/user-space RNG

Original Submission

PHP comes with two proper functions for this usage: random_int() and random_bytes().

Other functions like rand() are a footgun and should be avoided.

The only situation where you could have a valid usage of them is when you need a seeded RNG but even in this situation using something in the spirit of https://github.com/paragonie/seedspring would be a better call.

CategoryOther

Reported in versionEmpty

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2020-07-03

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #15060

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/16/19416/1' of ssh://gerrit.tuleap.net:29418/tuleap into HEAD 91e00fa8eb

Marie Ange Garnier (marieange) , 2020-07-03 10:29

request #15060: Ban usage of non crypto secure/user-space RNG 298081e924

Thomas Gerbet (tgerbet) , 2020-07-02 19:29

Show items referenced by request #15060

Referenced by request #15060

Artifact

rel #14817 11.17

Other

Follow-ups

Marie Ange Garnier (marieange)

2020-07-03 10:30

gerrit #19416 integrated into Tuleap 11.16.99.72

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #14817
Close date set to 2020-07-03

Thomas Gerbet (tgerbet)

2020-07-02 19:30

Patch under review: gerrit #19416.

Status changed from Under implementation to Under review