# HG changeset patch # User Mads Kiilerich # Date 2020-06-11 21:15:07 # Node ID 3a12df6cbf3056831e839d734184c76b1e8331c4 # Parent 87de82eb7cb00568f29229da44287dafcfaee055 lib: use sha1 instead of md5 in a couple of places md5 is dead and should be avoided. In the places changed here, we want to keep using hashes without trivial collisions, but do not expect strong crypto security. sha1 seems like a trivial step up from md5 and without obvious alternatives. It is more expensive than md5, but we can live with that in these places. The remaining few uses of md5() cannot be changed without breaking backwards compatibility or external API. diff --git a/kallithea/lib/celerylib/__init__.py b/kallithea/lib/celerylib/__init__.py --- a/kallithea/lib/celerylib/__init__.py +++ b/kallithea/lib/celerylib/__init__.py @@ -28,7 +28,7 @@ Original author and date, and relevant c import logging import os -from hashlib import md5 +from hashlib import sha1 from decorator import decorator from tg import config @@ -94,7 +94,7 @@ def __get_lockkey(func, *fargs, **fkwarg func_name = str(func.__name__) if hasattr(func, '__name__') else str(func) lockkey = 'task_%s.lock' % \ - md5(safe_bytes(func_name + '-' + '-'.join(str(x) for x in params))).hexdigest() + sha1(safe_bytes(func_name + '-' + '-'.join(str(x) for x in params))).hexdigest() return lockkey diff --git a/kallithea/lib/markup_renderer.py b/kallithea/lib/markup_renderer.py --- a/kallithea/lib/markup_renderer.py +++ b/kallithea/lib/markup_renderer.py @@ -74,13 +74,13 @@ class MarkupRenderer(object): :param text: """ - from hashlib import md5 + from hashlib import sha1 # Extract pre blocks. extractions = {} def pre_extraction_callback(matchobj): - digest = md5(matchobj.group(0)).hexdigest() + digest = sha1(matchobj.group(0)).hexdigest() extractions[digest] = matchobj.group(0) return "{gfm-extraction-%s}" % digest pattern = re.compile(r'
.*?
', re.MULTILINE | re.DOTALL)