Weak algorithms usage should be avoided [#3103145]

To avoid false positives weak algorithms should not be used (see https://www.drupal.org/node/845876)

Affected code:

docroot/modules/contrib/captcha/src/Element/Captcha.php 117

Solution:

use Drupal’s hashBase64 methods:

\Drupal\Component\Utility\Crypt::hashBase64($data)
\Drupal\Component\Utility\Crypt::hmacBase64($data, $key)

Comment	File	Size	Author
#6	captcha-usage_of_weak_algorithms-3103145-6.patch	2.61 KB	nileshlohar
#6	8.x-1.x: PHP 7.2 & MySQL 5.5, D8.8.1 27 pass
#4	captcha-usage_of_weak_algorithms-3103145-4.patch	2.61 KB	nileshlohar
#4	8.x-1.x: PHP 7.2 & MySQL 5.5, D8.8.1 27 pass
#3	captcha-usage_of_weak_algorithms-3103145-3.patch	2.84 KB	omkar06
#3	8.x-1.x: PHP 7.2 & MySQL 5.5, D8.8.1 15 pass, 4 fail PHP 7.2 & MySQL 5.5, D8.7 15 pass, 4 fail
#2	captcha-usage_of_weak_algorithms-3103145-2.patch	1.35 KB	omkar06
#2	8.x-1.x: PHP 7.2 & MySQL 5.5, D8.8.1 14 pass, 5 fail

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

26 December 2019 at 09:52

omkar06 created an issue. See original summary.

Comment #2

omkar06 CreditAttribution: omkar06 as a volunteer and at Acquia commented 26 December 2019 at 10:05

Assigned:	omkar06	» Unassigned
Status:	Active	» Needs review

File	Size
captcha-usage_of_weak_algorithms-3103145-2.patch	1.35 KB
8.x-1.x: PHP 7.2 & MySQL 5.5, D8.8.1 14 pass, 5 fail

Comment #3

omkar06 CreditAttribution: omkar06 as a volunteer and at Acquia commented 26 December 2019 at 10:33

File	Size
captcha-usage_of_weak_algorithms-3103145-3.patch	2.84 KB
8.x-1.x: PHP 7.2 & MySQL 5.5, D8.8.1 15 pass, 4 fail PHP 7.2 & MySQL 5.5, D8.7 15 pass, 4 fail

Attaching revised patch.

Comment #4

nileshlohar CreditAttribution: nileshlohar at Acquia commented 3 January 2020 at 10:40

File	Size
captcha-usage_of_weak_algorithms-3103145-4.patch	2.61 KB
8.x-1.x: PHP 7.2 & MySQL 5.5, D8.8.1 27 pass

Updated patch.

Comment #5

Heine CreditAttribution: Heine at LimoenGroen commented 3 January 2020 at 10:58

Would it not make more sense to directly use Crypt::randomBytesBase64() ?

Comment #6

nileshlohar CreditAttribution: nileshlohar at Acquia commented 3 January 2020 at 12:20

File	Size
captcha-usage_of_weak_algorithms-3103145-6.patch	2.61 KB
8.x-1.x: PHP 7.2 & MySQL 5.5, D8.8.1 27 pass

Thanks @Heine.
It makes sense.
Updating the patch.

Comment #7

omkar06 CreditAttribution: omkar06 as a volunteer and at Acquia commented 9 January 2020 at 04:53

Status:

Needs review

» Reviewed & tested by the community

Patch provided on #6 tested on local and it looks working as expected.

Comment #8

wundo CreditAttribution: wundo at Chuva Inc. commented 20 February 2020 at 10:51

Priority:

Normal

» Major

Comment #9

wundo CreditAttribution: wundo at Chuva Inc. for Galoa Science commented 20 February 2020 at 10:51

Comment #10

20 February 2020 at 10:52

wundo committed 6731656 on 8.x-1.x authored by nileshlohar

Issue #3103145 by omkar06, nileshlohar, wundo, Heine: Weak algorithms...

Comment #11

wundo CreditAttribution: wundo at Chuva Inc. for Galoa Science commented 20 February 2020 at 10:52

Status:

Reviewed & tested by the community

» Fixed

Comment #12

5 March 2020 at 10:54

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Weak algorithms usage should be avoided

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

News items

Our community

Documentation

Drupal code base

Governance of community