From 21d9c94f7b04eef00d0adfe9b14935d3526b5931 Mon Sep 17 00:00:00 2001 From: Kevin Israel Date: Sun, 10 Jul 2022 03:37:56 -0400 Subject: MWCryptHash: Clean up check for acceptable hashing algorithms * Replaced use of hash_algos() with hash_hmac_algos(), which was added in PHP 7.2 and omits non-cryptographic hashing algorithms that are not supported by hash_hmac(). * Removed MD5 and SHA-1 from the list of acceptable hash functions. These functions are cryptographically broken and are not being used anyway; all supported PHP versions support Whirlpool and SHA-256. * Made the in_array() comparison strict as per coding conventions. Change-Id: I3a3d43a790f71a4875a39c8788bef67ecf0181f0 --- includes/libs/MWCryptHash.php | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) (limited to 'includes/libs') diff --git a/includes/libs/MWCryptHash.php b/includes/libs/MWCryptHash.php index 48a6215c5a33..3ec4cdea9c79 100644 --- a/includes/libs/MWCryptHash.php +++ b/includes/libs/MWCryptHash.php @@ -46,23 +46,17 @@ class MWCryptHash { return self::$algo; } - $algos = hash_algos(); - $preference = [ 'whirlpool', 'sha256', 'sha1', 'md5' ]; + $algos = hash_hmac_algos(); + $preference = [ 'whirlpool', 'sha256' ]; foreach ( $preference as $algorithm ) { - if ( in_array( $algorithm, $algos ) ) { + if ( in_array( $algorithm, $algos, true ) ) { self::$algo = $algorithm; - return self::$algo; } } - // We only reach here if no acceptable hash is found in the list, this should - // be a technical impossibility since most of php's hash list is fixed and - // some of the ones we list are available as their own native functions - // But since we already require at least 5.2 and hash() was default in - // 5.1.2 we don't bother falling back to methods like sha1 and md5. - throw new DomainException( "Could not find an acceptable hashing function in hash_algos()" ); + throw new DomainException( 'Could not find an acceptable hashing function.' ); } /** -- cgit v1.2.3