Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
To avoid false positives weak algorithms should not be used (see https://www.drupal.org/node/845876)
Affected code:
docroot/modules/contrib/captcha/src/Element/Captcha.php 117
Solution:
use Drupal’s hashBase64 methods:
\Drupal\Component\Utility\Crypt::hashBase64($data)
\Drupal\Component\Utility\Crypt::hmacBase64($data, $key)
Comment | File | Size | Author |
---|---|---|---|
#6 | captcha-usage_of_weak_algorithms-3103145-6.patch | 2.61 KB | nileshlohar |
| |||
#4 | captcha-usage_of_weak_algorithms-3103145-4.patch | 2.61 KB | nileshlohar |
| |||
#3 | captcha-usage_of_weak_algorithms-3103145-3.patch | 2.84 KB | omkar06 |
#2 | captcha-usage_of_weak_algorithms-3103145-2.patch | 1.35 KB | omkar06 |
Comments
Comment #2
omkar06 CreditAttribution: omkar06 as a volunteer and at Acquia commentedComment #3
omkar06 CreditAttribution: omkar06 as a volunteer and at Acquia commentedAttaching revised patch.
Comment #4
nileshlohar CreditAttribution: nileshlohar at Acquia commentedUpdated patch.
Comment #5
Heine CreditAttribution: Heine at LimoenGroen commentedWould it not make more sense to directly use Crypt::randomBytesBase64() ?
Comment #6
nileshlohar CreditAttribution: nileshlohar at Acquia commentedThanks @Heine.
It makes sense.
Updating the patch.
Comment #7
omkar06 CreditAttribution: omkar06 as a volunteer and at Acquia commentedPatch provided on #6 tested on local and it looks working as expected.
Comment #8
wundo CreditAttribution: wundo at Chuva Inc. commentedComment #9
wundo CreditAttribution: wundo at Chuva Inc. for Galoa Science commentedComment #11
wundo CreditAttribution: wundo at Chuva Inc. for Galoa Science commented