On Jun 17, 2016 12:43 AM, "Fleshgrinder" <p...@fleshgrinder.com> wrote: > > On 6/16/2016 4:21 AM, Pierre Joye wrote: > > No they don't all do it. > > > > We don't know but I will try to find legitimate usages of (mt_)rand.
Well know you do as I gave you examples of such usages. Their Code not public so I cannot give you links. I am not sure to follow the legitimate part. There are perfectly legitimate usage of rand/mt_rand outside crypto. The fact that some developers still do not get the non safe part is an education problem. The same applies to many functions, like serialize, which has many security impacts but we do not remove it because some people misuse it constantly. > On 6/16/2016 4:21 AM, Pierre Joye wrote: > > There are ways to achieve what you want in a nice way while not breaking > > things. Let consider them. > > > > Moving to PECL does not break anything. It does as these functions are available by default and cannot be disabled (ext/standard).
