Opened 7 weeks ago
Closed 7 weeks ago
#7860 closed feature request (fixed)
Credits API: update sha256 hashing algorithm
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | Priority: | high | |
Component: | API | Keywords: | has-patch |
Cc: |
Description
WP core will update to use sha256 as algorithm in https://core.trac.wordpress.org/ticket/60638
I found that the Credits API still uses MD5, and this ticket request updates them to sha256.
Attachments (3)
Change History (11)
This ticket was mentioned in PR #454 on WordPress/wordpress.org by @haozi.
7 weeks ago
#1
- Keywords has-patch added
#3
follow-up:
↓ 5
@
7 weeks ago
Hi there, thanks for the ticket and the patch!
At a glance, we might need to only return SHA-256 URLs for WordPress 6.8-alpha or later (as per [WP59532]), and still return MD5 URLs for older WP versions.
#5
in reply to:
↑ 3
@
7 weeks ago
- Owner set to dd32
- Status changed from new to accepted
Replying to SergeyBiryukov:
At a glance, we might need to only return SHA-256 URLs for WordPress 6.8-alpha or later (as per [WP59532]), and still return MD5 URLs for older WP versions.
Turns out we don't need this at all, we can just return a sha256 I believe and core will treat it as an md5, which will pass straight through to Gravatar.
7860.2.diff so it's much simpler, similar to the original patch here, but a little cleaner.
#6
@
7 weeks ago
Yes, and returning SHA-256 URLs uniformly can prevent hackers from passing a low version number to get MD5 URLs.
I think there is no compatibility problem with using sha256 directly. The credits page is compatible with sha256 (just the parameters look a bit strange)