Making WordPress.org

Opened 7 weeks ago

Closed 7 weeks ago

#7860 closed feature request (fixed)

Credits API: update sha256 hashing algorithm

Reported by: haozi's profile haozi Owned by: dd32's profile dd32
Milestone: Priority: high
Component: API Keywords: has-patch
Cc:

Description

WP core will update to use sha256 as algorithm in https://core.trac.wordpress.org/ticket/60638

I found that the Credits API still uses MD5, and this ticket request updates them to sha256.

Attachments (3)

7860.patch (3.6 KB) - added by haozi 7 weeks ago.
7860.diff (9.3 KB) - added by dd32 7 weeks ago.
7860.2.diff (5.8 KB) - added by dd32 7 weeks ago.

Download all attachments as: .zip

Change History (11)

@haozi
7 weeks ago

This ticket was mentioned in PR #454 on WordPress/wordpress.org by @haozi.


7 weeks ago
#1

  • Keywords has-patch added

#2 @haozi
7 weeks ago

I think there is no compatibility problem with using sha256 directly. The credits page is compatible with sha256 (just the parameters look a bit strange)

https://s2.loli.net/2024/12/17/RUrq7342SoTO8Kz.png

#3 follow-up: @SergeyBiryukov
7 weeks ago

Hi there, thanks for the ticket and the patch!

At a glance, we might need to only return SHA-256 URLs for WordPress 6.8-alpha or later (as per [WP59532]), and still return MD5 URLs for older WP versions.

#4 @dd32
7 weeks ago

The patch as-is won't work either for cases where we've stored md5's in the credits file.

From looking at the core handler, we can probably just return a md5 as-is without anything special.. Something like 7860.diff that I haven't yet tested.

@dd32
7 weeks ago

@dd32
7 weeks ago

#5 in reply to: ↑ 3 @dd32
7 weeks ago

  • Owner set to dd32
  • Status changed from new to accepted

Replying to SergeyBiryukov:

At a glance, we might need to only return SHA-256 URLs for WordPress 6.8-alpha or later (as per [WP59532]), and still return MD5 URLs for older WP versions.

Turns out we don't need this at all, we can just return a sha256 I believe and core will treat it as an md5, which will pass straight through to Gravatar.

7860.2.diff so it's much simpler, similar to the original patch here, but a little cleaner.

#6 @haozi
7 weeks ago

Yes, and returning SHA-256 URLs uniformly can prevent hackers from passing a low version number to get MD5 URLs.

#7 @dd32
7 weeks ago

can prevent hackers from passing a low version number to get MD5 URLs.

To be fair; Sha256 rainbow tables do exist, this is not a massive security change per-se.

#8 @dd32
7 weeks ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 14307:

API: Credits: Return credits with SHA256 hashes.

Props haozi, SergeyBiryukov, dd32.
Closes https://github.com/WordPress/wordpress.org/pull/454.
Fixes #7860.

Note: See TracTickets for help on using tickets.