Replace md5 calls with sha256 in Views in core [#1884828]

Per Drupal secure coding standards at http://drupal.org/node/845876

md5 and sha1 should not be used any place in Drupal core since 7.0, but are re-introduced in the Views module for 8.x:

core/modules/views/lib/Drupal/views/Plugin/views/cache/CachePluginBase.php
298:      $this->resultsKey = $this->view->storage->get('name') . ':' . $this->displayHandler->display['id'] . ':results:' . md5(serialize($key_data));
322:      $this->outputKey = $this->view->storage->get('name') . ':' . $this->displayHandler->display['id'] . ':output:' . md5(serialize($key_data));

core/modules/views/lib/Drupal/views/Plugin/views/display/DisplayPluginBase.php
133:      $cid = 'unpackOptions:' . md5(serialize(array($this->options, $options)));

core/modules/views/lib/Drupal/views/Plugin/views/style/StylePluginBase.php
559:                $grouping = md5(serialize($grouping));

core/modules/views/lib/Drupal/views/ViewExecutable.php
1416:    $this->dom_id = !empty($this->dom_id) ? $this->dom_id : md5($this->storage->get('name') . REQUEST_TIME . rand());

Comment	File	Size	Author
#1	1884828-1.patch	3.64 KB	pwolanin
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

pwolanin CreditAttribution: pwolanin commented 10 January 2013 at 03:29

File	Size
1884828-1.patch	3.64 KB

Also, rand() is slow and unreliable - mt_rand() should be used instead per the PHP docs.

Comment #2

pwolanin CreditAttribution: pwolanin commented 10 January 2013 at 03:29

Status:

Active

» Needs review

Comment #3

pwolanin CreditAttribution: pwolanin commented 10 January 2013 at 13:51

Assigned:

Unassigned

» pwolanin

Comment #4

tim.plunkett

he/him

English

Philadelphia

CreditAttribution: tim.plunkett commented 10 January 2013 at 14:46

Issue tags:

+VDC

Tagging.

Comment #5

dawehner

German

CreditAttribution: dawehner commented 10 January 2013 at 18:34

Status:

Needs review

» Reviewed & tested by the community

Perfect, and I don't think performance matters here as it's not executed really often.

+1 for mt_rand()

Comment #6

webchick

she/they

English

Vancouver 🇨🇦

CreditAttribution: webchick commented 10 January 2013 at 18:56

Status:

Reviewed & tested by the community

» Fixed

I always found these kinds of changes to just protect Drupal from brain-dead security scanners that even flag "md5" in *comments* and *text files* as security issues kinda silly, but OTOH I can attest that the sec. team gets bogus bug reports about this all the time, so it's nice to eliminate these. Thanks!

Committed and pushed to 8.x. Thanks!

Comment #7

dawehner

German

CreditAttribution: dawehner commented 11 January 2013 at 04:37

Anyone know whether this might be worth to backport to D7?

Comment #8

pwolanin CreditAttribution: pwolanin commented 11 January 2013 at 14:34

Yes, I would consider this for backport - ideally all 7.x modules should have stopped using md5.

Comment #9

dawehner

German

CreditAttribution: dawehner commented 11 January 2013 at 18:45

Project:	Drupal core	» Views (for Drupal 7)
Version:	8.x-dev	» 7.x-3.x-dev
Component:	views.module	» Code
Status:	Fixed	» Patch (to be ported)

Comment #10

merlinofchaos CreditAttribution: merlinofchaos commented 11 January 2013 at 20:35

In at least some cases in D7, the 32 byte length of the hash is the reason we're using it, not any security reason; sha256 keys are longer, I believe, so can't be used in that situation. If md5 is really to be considered evil (and boy, I dislike that) we would need to come up with another solution.

Comment #11

pwolanin CreditAttribution: pwolanin commented 11 January 2013 at 23:28

@merlinofchaos in the block patch at #1884826: Regression - replace md5 in Block module calls with sha2 hashes I did:

substr(hash('sha256', $delta), 0, 32);

though happily that code was't needed at all.

Probably better (more bits) is:

$hash = substr(drupal_hash_base64($delta), 0, 32);

Which we use in facetapi for block deltas:
http://drupalcode.org/project/facetapi.git/blob/refs/heads/7.x-1.x:/face...

Comment #12

merlinofchaos CreditAttribution: merlinofchaos commented 12 January 2013 at 04:50

An update should also clear caches and other things where we're using these MD5s for later lookups to avoid confusion.

Also changing those will unexpectedly change people's block deltas. While it seems highly unlikely that anyone is using a silly md5 for their CSS on their view blocks...and yet, I've seen people do weirder things. So we could potentially hurt those sites.

Comment #13

dawehner

German

CreditAttribution: dawehner commented 12 January 2013 at 08:13

That is a good point!

Another point is that the blocks are currently stored in the block table with it's md5-deltas, so if you would use sha2 the block positions for example
would get lost without an update function, but as blocks are even stored in features you simply don't have a way to fix all of them.

Comment #14

greggles

he/him

English

Denver, Colorado, USA

CreditAttribution: greggles at CARD.com commented 26 July 2017 at 15:19

Title:	Replace md5 calls with sha2 in Views in core	» Replace md5 calls with sha256 in Views in core
Issue summary:	View changes

I found this recently when searching and just wanted to update at least the title to say sha256 since that is what I believe is the goal and not just any of the sha2 functions (see this explainer about the differences).