Per Drupal secure coding standards at http://drupal.org/node/845876

md5 and sha1 should not be used any place in Drupal core since 7.0, but are re-introduced in the Filter module for 8.x (and also 7.x)

core/modules/filter/filter.module
1715:    $hash = md5($content);

core/modules/filter/lib/Drupal/filter/Tests/FilterHtmlImageSecureTest.php
117:      $comment[] = '<img src="' . $image . '" testattribute="' . md5($image) . '" />';
125:      foreach ($this->xpath('//img[@testattribute="' . md5($image) . '"]') as $element) {
CommentFileSizeAuthor
#6 1884830-6.patch506 bytesdcam
#1 1884830-1.patch1.84 KBpwolanin
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Active » Needs review
FileSize
1884830-1.patch1.84 KB
pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Assigned: Unassigned » pwolanin
Elijah Lynn’s picture

Elijah Lynn
Location Portland, Oregon
CreditAttribution: Elijah Lynn commented
Status: Needs review » Reviewed & tested by the community

Tested locally on my LAMP stack, passed all tests.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented
Status: Reviewed & tested by the community » Fixed

Committed and pushed to 8.x. Thanks!

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Version: 8.x-dev » 7.x-dev
Status: Fixed » Patch (to be ported)

I think this needs a backport to 7 too.

dcam’s picture

dcam CreditAttribution: dcam commented
Assigned: pwolanin » Unassigned
Status: Patch (to be ported) » Needs review
FileSize
1884830-6.patch506 bytes

Backported #1 to D7. It looks to me like the test changes are not backportable.

  • webchick committed 5082019 on 8.3.x 
    Issue #1884830 by pwolanin: Fixed Regression - replace md5 in Filter...

  • webchick committed 5082019 on 8.3.x 
    Issue #1884830 by pwolanin: Fixed Regression - replace md5 in Filter...

  • webchick committed 5082019 on 8.4.x 
    Issue #1884830 by pwolanin: Fixed Regression - replace md5 in Filter...

  • webchick committed 5082019 on 8.4.x 
    Issue #1884830 by pwolanin: Fixed Regression - replace md5 in Filter...
pwolanin’s picture

pwolanin CreditAttribution: pwolanin as a volunteer and at SciShield commented
Issue summary: View changes
Status: Needs review » Reviewed & tested by the community
stefan.r’s picture

stefan.r CreditAttribution: stefan.r commented
Issue tags: +Pending Drupal 7 commit

Looks good! No need to do a change record for this in case anyone was relying on a specific hash?

  • stefan.r committed deb4de9 on 7.x 
    Issue #1884830 by pwolanin, dcam: Regression - replace md5 in Filter...
stefan.r’s picture

stefan.r CreditAttribution: stefan.r commented
Status: Reviewed & tested by the community » Fixed
Issue tags: -Pending Drupal 7 commit

Committed and pushed to 7.x, thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented
Title: Regression - replace md5 in Filter module calls with sha2 hashes » Regression - replace md5 in Filter module calls with sha256 hashes

Updating the title to the slightly more specific description of what the change was.