MWCryptHash: Clean up check for acceptable hashing algorithms

* Replaced use of hash_algos() with hash_hmac_algos(), which was added
  in PHP 7.2 and omits non-cryptographic hashing algorithms that are not
  supported by hash_hmac().
* Removed MD5 and SHA-1 from the list of acceptable hash functions.
  These functions are cryptographically broken and are not being used
  anyway; all supported PHP versions support Whirlpool and SHA-256.
* Made the in_array() comparison strict as per coding conventions.

Change-Id: I3a3d43a790f71a4875a39c8788bef67ecf0181f0

1 files changed, 4 insertions, 10 deletions

diff --git a/includes/libs/MWCryptHash.php b/includes/libs/MWCryptHash.php
index 48a6215c5a33..3ec4cdea9c79 100644
--- a/includes/libs/MWCryptHash.php
+++ b/includes/libs/MWCryptHash.php
@@ -46,23 +46,17 @@ class MWCryptHash {
 			return self::$algo;
 		}
 
-		$algos = hash_algos();
-		$preference = [ 'whirlpool', 'sha256', 'sha1', 'md5' ];
+		$algos = hash_hmac_algos();
+		$preference = [ 'whirlpool', 'sha256' ];
 
 		foreach ( $preference as $algorithm ) {
-			if ( in_array( $algorithm, $algos ) ) {
+			if ( in_array( $algorithm, $algos, true ) ) {
 				self::$algo = $algorithm;
-
 				return self::$algo;
 			}
 		}
 
-		// We only reach here if no acceptable hash is found in the list, this should
-		// be a technical impossibility since most of php's hash list is fixed and
-		// some of the ones we list are available as their own native functions
-		// But since we already require at least 5.2 and hash() was default in
-		// 5.1.2 we don't bother falling back to methods like sha1 and md5.
-		throw new DomainException( "Could not find an acceptable hashing function in hash_algos()" );
+		throw new DomainException( 'Could not find an acceptable hashing function.' );
 	}
 
 	/**