Stefan Esser wrote:
Hello,
with MD5 and SHA1 more or less broken, I have hacked together sha256() and
sha256_file(),
because people want a secure hashing function in plain PHP without the need for
3rd party
libraries like mhash.
assuming this is true then the built in session handler is pretty vulnerable
right now no?
one only has the choice of md5 or sha1 for the hashing mechanism of the session
handlers id
as far as I can see ... if php gets a sha256 in the core it would possibly be a
good thing
to make that available as an option for session.hash_function?
Both functions are already available to users of the PHP Hardening-Patch for
quite a while.
Actually it is too late in the release process to add it, although it just adds
new files
and only adds a few things in some tables. It is more or less impossible to
break something
but you never know.
If we for some reasons need another 5.1.0 RC, we can maybe add the patch. (It
doesn't need
more than a few compile tests ;)
Patch: http://www.suspekt.org/php-5.1.0-sha256.patch
(So ilia... It is maybe up to your judgement only if I should do a last minute
feature commit ;)
Stefan
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
