Document relevant PHP changes after 7.1.0 #2
Description
Our documentation currently covers PHP up to "7.1.0+", but apparently a relevant change was made already in php-7.1.4RC1+:
https://stackoverflow.com/questions/53687593/when-is-mt-rand-seeded
I just found the answer. Starting with php7.1 mt_rand seeds are not retained. This is the commit for this change.
answered Dec 8, 2018 at 23:21
Jens Klammerer
The commit is php/php-src@e9e860a
Mar 27, 2017
Don't retain mt_rand() seeds across requests
In particular, this prevents manual seeding of mt_rand() to leak
across requests.
and is included in tags php-7.1.4RC1 through php-8.4.2 and security-audit-2024.
Also relevant is this recent blog post:
https://whiteknightlabs.com/2024/06/14/exploiting-gh-13690-mt_rand-in-php-in-2024/
about a PHP reseeding bug fixed just recently, apparently in PHP 8.3.6 and 8.2.18:
- Random:
. Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
modes). (timwolla)
. Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
requests when MT_RAND_PHP is used). (timwolla)
We should double-check this and document it. Also, read up on the PHP bugs above (not just third-party blog).