the md5() and sha1() hash functions should never be used in any code [#3000587]

Problem/Motivation

Use of a Broken or Risky Cryptographic Algorithm in modules/contrib/entity_browser/src/plugin/field/fieldwidget/entityreferencebrowserwidget.php (line 522)

'#name' => $this->fieldDefinition->getName() . '_remove_' . $entity->id() . '_' . $row_id . '_' . md5(json_encode($field_parents)),

See https://www.drupal.org/node/845876

the md5() and sha1() hash functions should never be used in any code

this can be a problem if, for example, Government entities require such audits - which would then require additional documentation to verify that they are indeed, not a security issue.

Proposed resolution

use \Drupal\Component\Utility\Crypt::hashBase64($data)

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Comment	File	Size	Author
#26	3000587_26.patch	5.96 KB	fernly
#24	3000587_24.patch	6.17 KB	fernly
#20	3000587_20.patch	6.2 KB	mpp
#9	entity_browser-replace_crypto-30005870-8.patch	6.73 KB	ducktape
#7	entity_browser-8.2.2--replace_risky_crypto_algorithm_usage-3000587-7.patch	6.72 KB	omkar06
#4	entity_browser-eplace_risky_crypto_algorithm_usage-3000587-4.patch	6.74 KB	omkar06

Issue fork entity_browser-3000587

Show commands

Start within a Git clone of the project using the version control instructions.

Add & fetch this issue fork’s repository

Or, if you do not have SSH keys set up on git.drupalcode.org:

Add & fetch this issue fork’s repository

3000587-the-md5-and changes, plain diff MR !87
Check out this branch for the first time

Check out existing branch, if you already have it locally

About issue forks

Comments

Comment #1

18 September 2018 at 13:16

suresh kumara created an issue. See original summary.

Comment #2

alexmoreno commented 19 July 2019 at 16:10

Agree, as per >D7 policy, weak cryptographic algorithms should not be used. See: https://www.drupal.org/node/845876

There are other files where this is an issue:

docroot/modules/contrib/entity_browser/src/Element/EntityBrowserElement.php 177
docroot/modules/contrib/entity_browser/src/Plugin/Field/FieldWidget/EntityReferenceBrowserWidget.php 562
docroot/modules/contrib/entity_browser/src/Plugin/Field/FieldWidget/EntityReferenceBrowserWidget.php 579
docroot/modules/contrib/entity_browser/src/Plugin/Field/FieldWidget/FileBrowserWidget.php 388
docroot/modules/contrib/entity_browser/src/Plugin/Field/FieldWidget/FileBrowserWidget.php 405

Comment #3

omkar06 commented 20 November 2019 at 04:41

Assigned:

Unassigned

» omkar06

Comment #4

omkar06 commented 20 November 2019 at 08:05

Version:

8.x-2.0

» 8.x-2.2

Status	File	Size
new	entity_browser-eplace_risky_crypto_algorithm_usage-3000587-4.patch	6.74 KB

Replaced usage of sha1 and md5 with \Drupal\Component\Utility\Crypt::hashBase64($data)

Comment #5

omkar06 commented 20 November 2019 at 08:05

Status:

Active

» Needs review

Comment #6

omkar06 commented 20 November 2019 at 10:52

Version:	8.x-2.2	» 8.x-2.0
Assigned:	omkar06	» Unassigned

Comment #7

omkar06 commented 21 November 2019 at 06:46

Status	File	Size
new	entity_browser-8.2.2--replace_risky_crypto_algorithm_usage-3000587-7.patch	6.72 KB

Patch for 8.2.2 version.

Comment #8

omkar06 commented 21 November 2019 at 12:02

Version:

8.x-2.0

» 8.x-2.x-dev

Comment #9

ducktape commented 26 November 2019 at 12:39

Status	File	Size
new	entity_browser-replace_crypto-30005870-8.patch	6.73 KB

Rerolled against dev.

Comment #10

alexmoreno commented 27 November 2019 at 09:04

Status:

Needs review

» Reviewed & tested by the community

LGTM, tested and working in a platform with a few dozen sites running.

Comment #11

oknate

Greater New York City Area

commented 12 December 2019 at 11:27

Title:	Use of a Broken or Risky Cryptographic Algorithm in modules/contrib/entity_browser/src/plugin/field/fieldwidget/entityreferencebrowserwidget.php in (line 522)	» the md5() and sha1() hash functions should never be used in any code
Issue summary:	View changes

Comment #12

oknate

Greater New York City Area

commented 12 December 2019 at 11:27

Issue summary:

View changes

Comment #13

oknate

Greater New York City Area

commented 12 December 2019 at 11:40

Comment #14

12 December 2019 at 11:42

oknate committed 5531e0a on 8.x-2.x authored by omkar06

Issue #3000587 by omkar06: the md5() and sha1() hash functions should...

Comment #15

12 December 2019 at 11:42

oknate committed d8a857f on 8.x-1.x authored by omkar06

Issue #3000587 by omkar06: the md5() and sha1() hash functions should...

Comment #16

oknate

Greater New York City Area

commented 12 December 2019 at 11:43

Status:

Reviewed & tested by the community

» Fixed

This makes sense. The new hashing function is the recommended one, and it returns a consistent hash, and it won’t get flagged by government audits.

Comment #17

26 December 2019 at 11:44

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Comment #18

guptahemant commented 17 January 2020 at 10:50

hi @oknate

It seems the patch in this issue reverted the code which was added as a fix for this issue https://www.drupal.org/project/entity_browser/issues/3000587,

I.e
$this->fieldDefinition->getUniqueIdentifier()
got replaced by
$this->fieldDefinition->get('uuid')

Please check i think it would need to be reverted.

Thanks

Comment #19

oknate

Greater New York City Area

commented 17 January 2020 at 11:46

Status:

Closed (fixed)

» Needs work

Thank you, guptahemant!

I have reverted this for now. We need a new patch that uses $this->fieldDefinition->getUniqueIdentifier() instead of $this->fieldDefinition->get('uuid')

Comment #20

mpp commented 6 February 2020 at 17:57

Status:

Needs work

» Needs review

Status	File	Size
new	3000587_20.patch	6.2 KB

Comment #21

anybody

German

Porta Westfalica

commented 5 May 2020 at 15:15

Status:

Needs review

» Reviewed & tested by the community

Well done @mpp, @oknate, would you also have a look?

Comment #22

mpp commented 5 May 2020 at 16:48

Thanks for the feedback @Anybody.

Comment #23

joseph.olstad

French

commented 8 December 2020 at 18:01

there are other non cryptographic uses for sha1 , pretty strong language above.

https://www.drupal.org/project/media_unique

Comment #24

fernly commented 22 August 2022 at 13:21

Status	File	Size
new	3000587_24.patch	6.17 KB

Reroll of patch 20 against version 8.x-2.8.

Comment #25

dave reid

he/him

English

Nebraska USA

commented 11 December 2023 at 19:59

Status:

Reviewed & tested by the community

» Needs work

Patch no longer applies and needs to be re-rolled or MR opened.

Comment #26

fernly commented 29 January 2024 at 10:45

Status:

Needs work

» Needs review

Status	File	Size
new	3000587_26.patch	5.96 KB

Reroll of patch 24 against current 8.x-2.x-dev version (should work on 8.x-2.10).

Comment #27

anybody

German

Porta Westfalica

commented 19 August 2025 at 14:54

Could someone turn this into a MR finally to get this fixed?

Comment #28

19 August 2025 at 19:28

joseph.olstad opened merge request !87

Comment #29

anybody

German

Porta Westfalica

commented 20 August 2025 at 07:50

Thanks @joseph.olstad I'm willing to merge this once it's RTBC'd!

Comment #30

anybody

German

Porta Westfalica

commented 20 August 2025 at 07:54

Status:

Needs review

» Reviewed & tested by the community

Okay it's used in a lot similar places in core, so I'm fine with that!
https://api.drupal.org/api/drupal/core%21lib%21Drupal%21Component%21Util...

Comment #31

anybody

German

Porta Westfalica

commented 20 August 2025 at 07:54

Status:

Reviewed & tested by the community

» Fixed

Comment #32

20 August 2025 at 07:54

anybody committed 06dceb85 on 8.x-2.x authored by joseph.olstad

Issue #3000587 by omkar06, fernly, joseph.olstad, ducktape, oknate,...

Comment #33

3 September 2025 at 07:59

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.