Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Hello everyone.
During our recent internal security review of Drupal Core we found that the filter module is still using MD5 for escaping contents for HTML comments.
In this instance MD5 isn’t being used in a security context but MD5 has been deemed insecure and I (like anyone else who is interested in FIPS) need to get an exemption for every use of MD5.
The reasoning behind removing MD5 from Drupal has been discussed already: http://engineeredweb.com/blog/10/5/new-way-generate-hashes-drupal-7/
I was under the impression that Drupal Core had agreed and already completed the work by removing all instances of MD5 from the code base - https://drupal.org/node/723802.
This seems like the last occurrence holding back Drupal 7 from completely free of MD5 usage during normal use.
It is easy to fix this by using hash('sha256', $content) instead.
Are you interested in making this fix?
Many thanks
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | drupal-core-module-filter-md5-usage-removing.patch | 1 KB | Fabio.E.Questionmark |
Comments
Comment #1
Fabio.E.Questionmark CreditAttribution: Fabio.E.Questionmark commentedPlease find attached a patch to remove the md5 usage from the filter module.
Comment #2
Fabio.E.Questionmark CreditAttribution: Fabio.E.Questionmark commentedComment #3
Fabio.E.Questionmark CreditAttribution: Fabio.E.Questionmark commented