[dev] [commits] Horde branch master updated. 0ab877c762ed591254793fdeb8840a27087b0c5e
Jan Schneider
jan at horde.org
Thu Mar 13 10:59:04 UTC 2014
Zitat von Michael M Slusarz <slusarz at horde.org>:
> Quoting Michael M Slusarz <slusarz at horde.org>:
>
>> commit 2d91444b8cb4a63a67355fcd3eb28af6b497b4c0
>> Author: Michael M Slusarz <slusarz at horde.org>
>> Date: Wed Mar 12 02:27:59 2014 -0600
>>
>> Another place to change hash algorithm
>>
>> framework/Imap_Client/lib/Horde/Imap/Client/Base.php | 5 ++++-
>> 1 files changed, 4 insertions(+), 1 deletions(-)
>>
>> http://github.com/horde/horde/commit/2d91444b8cb4a63a67355fcd3eb28af6b497b4c0
>> http://git.horde.org/horde-git/-/commit/2d91444b8cb4a63a67355fcd3eb28af6b497b4c0
>
> I have mentioned this before in commit messages ... but MD5 has been
> proven to be inadequate for hashing purposes due to collision issues.
>
> See, e.g.:
>
> http://www.mscs.dal.ca/~selinger/md5collision/
>
> I've personally changed code to use either SHA-1 (unfortunately much
> slower than MD5, and larger output, but collision resistant and
> should always be available in PHP) or FNV-1(32 bit) (only available
> on PHP 5.4+, faster than MD5, designed specifically as
> non-crpytographic hash, low collision rate).
>
> Would be better to use FNV-1a than FNV-1, but due to oversight this
> was left out of hash() and my patch to add won't show up until PHP
> 5.6. Even better would be xxhash, but this would require the
> installation of a PHP module.
We should wrap and abstract this into a Horde_Util method, so the best
hashing method available will always be used.
> Granted, there's still going to be a low rate of collisions using
> MD5, but all it takes is one collision to potentially leak something
> like, say, cached e-mail message data. So better safe than sorry.
>
> michael
>
> ___________________________________
> Michael Slusarz [slusarz at horde.org]
--
Jan Schneider
The Horde Project
http://www.horde.org/
https://www.facebook.com/hordeproject
More information about the dev
mailing list