Document relevant PHP changes after 7.1.0

[solardiz]

Our documentation currently covers PHP up to "7.1.0+", but apparently a relevant change was made already in php-7.1.4RC1+:

https://stackoverflow.com/questions/53687593/when-is-mt-rand-seeded

I just found the answer. Starting with php7.1 mt_rand seeds are not retained. This is the commit for this change.
answered Dec 8, 2018 at 23:21
Jens Klammerer

The commit is php/php-src@e9e860a

Mar 27, 2017
Don't retain mt_rand() seeds across requests
In particular, this prevents manual seeding of mt_rand() to leak
across requests.

and is included in tags php-7.1.4RC1 through php-8.4.2 and security-audit-2024.

Also relevant is this recent blog post:

https://whiteknightlabs.com/2024/06/14/exploiting-gh-13690-mt_rand-in-php-in-2024/

about a PHP reseeding bug fixed just recently, apparently in PHP 8.3.6 and 8.2.18:

- Random:
. Fixed bug GH-13544 (Pre-PHP 8.2 compatibility for mt_srand with unknown
modes). (timwolla)
. Fixed bug GH-13690 (Global Mt19937 is not properly reset in-between
requests when MT_RAND_PHP is used). (timwolla)

We should double-check this and document it. Also, read up on the PHP bugs above (not just third-party blog).