To avoid false positives weak algorithms should not be used (see https://www.drupal.org/node/845876)

Affected code:

docroot/modules/contrib/inline_entity_form/src/Plugin/Field/FieldWidget/InlineEntityFormComplex.php 203
docroot/modules/contrib/inline_entity_form/src/Plugin/Field/FieldWidget/InlineEntityFormComplex.php 586
docroot/modules/contrib/inline_entity_form/src/Plugin/Field/FieldWidget/InlineEntityFormSimple.php 35
docroot/modules/contrib/inline_entity_form/src/Plugin/Field/FieldWidget/InlineEntityFormSimple.php 155

Solution:

use Drupal’s hashBase64 methods:

\Drupal\Component\Utility\Crypt::hashBase64($data)
\Drupal\Component\Utility\Crypt::hmacBase64($data, $key)

in those files affected (see description)

Create a patch for the files mentioned in the description, share in d.o and use the patch from d.o url.

CommentFileSizeAuthor
#6 inline_entity_form-usage_of_weak_algorithms-3069423-6.patch3.51 KBomkar06
#3 inline_entity_form-usage_of_weak_algorithms-3069423-3.patch3.51 KBomkar06

Comments

alexmoreno created an issue. See original summary.

omkar06’s picture

omkar06 commented
Assigned: Unassigned » omkar06
omkar06’s picture

omkar06 commented
Assigned: omkar06 » Unassigned
Status: Active » Needs review
StatusFileSize
new inline_entity_form-usage_of_weak_algorithms-3069423-3.patch3.51 KB
geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Title: Weak algorithms usage should be avoided » Replace weak hashing algorithms

Thanks for pointing this out and providing a patch. My gut feeling is the repeating code can go to a helper method.

+ // Since $parents can get quite long, encryption ensures that every id has

Nit: ...hashing ensures...

geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Related issues: +#2653574: Unable to keep nested IEF data separate with multivalue fields.

Note: In #2653574-129: Unable to keep nested IEF data separate with multivalue fields. this seems to be factored out as

+  protected function iefIdFromParents(array $parents) {
omkar06’s picture

omkar06 commented
StatusFileSize
new inline_entity_form-usage_of_weak_algorithms-3069423-6.patch3.51 KB

Updating patch with correction mentioned in #4.
As in related issue, code is going to refactor, this patch also will need to revise as per new implementation. Meanwhile, if anyone required for current code, they can use this patch.

  • geek-merlin committed dfdd345 on 8.x-1.x 
    Issue #3069423 by omkar06, geek-merlin: Replace weak hashing algorithms
geek-merlin’s picture

geek-merlin
Primary language German
Location Freiburg, Germany
commented
Status: Needs review » Fixed

Committed, thanks a bunch!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.