Hello everyone.
During our recent internal security review we found that the Bootstrap module is using MD5 in order to generate accordion div elements IDs.
In this instance MD5 isn’t being used in a security context but MD5 has been deemed insecure and I (like anyone else who is interested in FIPS - Federal Information Processing Standards) need to get an exemption for every use of MD5.
The reasoning behind removing MD5 from Drupal has been discussed already: http://engineeredweb.com/blog/10/5/new-way-generate-hashes-drupal-7/ and the Drupal Core had agreed and already completed the work by removing all instances of MD5 from the code base: https://drupal.org/node/723802.
It is easy to fix this by using hash('sha256', $elements) instead.
Could we consider to make this module FIPS compatible?
Many thanks
| Comment | File | Size | Author |
|---|
Comments
Comment #1
Fabio.E.Questionmark commentedPlease find attached a patch to remove md5 usage
Comment #2
Fabio.E.Questionmark commentedComment #3
markhalliwellActually this entire theme hook should just be removed (legacy code). The bootstrap_panel theme hook should be used instead.
Committed adda527 to 7.x-3.x:
Comment #4
markhalliwellComment #5
markhalliwellReflects more accurately, it was never "officially" deprecated... just overlooked. Added a draft change notice that will need to be published once 7.x-3.1 is released.
Comment #6
markhalliwellComment #8
m1r1k commentedbootstrap_accordion.func.php was removed from 8.x-3.x as well as manually generated Id attribute.