To avoid false positives weak algorithms should not be used (see https://www.drupal.org/node/845876)

Affected code:

docroot/modules/contrib/captcha/src/Element/Captcha.php 117

Solution:

use Drupal’s hashBase64 methods:

\Drupal\Component\Utility\Crypt::hashBase64($data)
\Drupal\Component\Utility\Crypt::hmacBase64($data, $key)

CommentFileSizeAuthor
#6 captcha-usage_of_weak_algorithms-3103145-6.patch2.61 KBnileshlohar
#4 captcha-usage_of_weak_algorithms-3103145-4.patch2.61 KBnileshlohar
#3 captcha-usage_of_weak_algorithms-3103145-3.patch2.84 KBomkar06
#2 captcha-usage_of_weak_algorithms-3103145-2.patch1.35 KBomkar06

Comments

omkar06 created an issue. See original summary.

omkar06’s picture

omkar06 commented
Assigned: omkar06 » Unassigned
Status: Active » Needs review
StatusFileSize
new captcha-usage_of_weak_algorithms-3103145-2.patch1.35 KB
omkar06’s picture

omkar06 commented
StatusFileSize
new captcha-usage_of_weak_algorithms-3103145-3.patch2.84 KB

Attaching revised patch.

nileshlohar’s picture

nileshlohar commented
StatusFileSize
new captcha-usage_of_weak_algorithms-3103145-4.patch2.61 KB

Updated patch.

heine’s picture

heine commented

Would it not make more sense to directly use Crypt::randomBytesBase64() ?

nileshlohar’s picture

nileshlohar commented
StatusFileSize
new captcha-usage_of_weak_algorithms-3103145-6.patch2.61 KB

Thanks @Heine.
It makes sense.
Updating the patch.

omkar06’s picture

omkar06 commented
Status: Needs review » Reviewed & tested by the community

Patch provided on #6 tested on local and it looks working as expected.

wundo’s picture

wundo commented
Priority: Normal » Major
wundo’s picture

wundo commented

  • wundo committed 6731656 on 8.x-1.x authored by nileshlohar 
    Issue #3103145 by omkar06, nileshlohar, wundo, Heine: Weak algorithms...
wundo’s picture

wundo commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.