On 9 January 2015 at 16:45, Anthony Ferrara <ircmax...@gmail.com> wrote: > > Changing this fallback behavior to the correct error should happen. > However, this will likely break a number of live systems which are > currently relying on the incorrect behavior (likely without knowing > it).
I'd call this a sec fix. Absolutely preferable to have an error than a silent fallback to broken crypto. > > Then in a future version (7.1, 8, whatever) remove the fallback and > keep the error along with returning a failure indication (*0). > Is 7 really too soon? I know we err on the side of compatibility, but in my opinion the fallback should be removed completely (any salt starting with a $ must not degrade to any other method). -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
