From 43e66c6415d6397b0ee93d64dc80c742072f3ada Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Sun, 28 Jan 2024 23:17:29 -0700
Subject: [PATCH 1/2] upgrade phash implementation from md5 to sha256

---
 CHANGES.rst                      | 4 ++++
 src/pyramid/config/predicates.py | 6 +++---
 tests/test_config/test_views.py  | 8 ++++----
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index b3aae92b4..023ce3fe6 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -22,6 +22,10 @@ Features
 
   See https://github.com/Pylons/pyramid/pull/3735
 
+- Replace usage of ``md5`` in the Pyramid view system with ``sha256``. This
+  is not a security-related feature and is considered an implementation detail
+  that should not impact users.
+
 Bug Fixes
 ---------
 
diff --git a/src/pyramid/config/predicates.py b/src/pyramid/config/predicates.py
index db5df0347..15d990b95 100644
--- a/src/pyramid/config/predicates.py
+++ b/src/pyramid/config/predicates.py
@@ -1,4 +1,4 @@
-from hashlib import md5
+from hashlib import sha256
 from webob.acceptparse import Accept
 
 from pyramid.exceptions import ConfigurationError
@@ -8,7 +8,7 @@
 from pyramid.util import TopologicalSorter, bytes_, is_nonstr_iter
 
 MAX_ORDER = 1 << 30
-DEFAULT_PHASH = md5().hexdigest()
+DEFAULT_PHASH = sha256().hexdigest()
 
 
 class PredicateConfiguratorMixin:
@@ -137,7 +137,7 @@ def make(self, config, **kw):
         # phash) that can be used by a caller to identify identical predicate
         # lists.
         ordered = self.sorter.sorted()
-        phash = md5()
+        phash = sha256()
         weights = []
         preds = []
         info = PredicateInfo(
diff --git a/tests/test_config/test_views.py b/tests/test_config/test_views.py
index c7d8c2721..2018e61f2 100644
--- a/tests/test_config/test_views.py
+++ b/tests/test_config/test_views.py
@@ -554,7 +554,7 @@ def test_add_view_exception_register_secured_view(self):
         self.assertEqual(wrapper, view)
 
     def test_add_view_same_phash_overrides_existing_single_view(self):
-        from hashlib import md5
+        from hashlib import sha256
         from zope.interface import Interface
 
         from pyramid.interfaces import (
@@ -565,7 +565,7 @@ def test_add_view_same_phash_overrides_existing_single_view(self):
         )
         from pyramid.renderers import null_renderer
 
-        phash = md5()
+        phash = sha256()
         phash.update(b'xhr = True')
         view = lambda *arg: 'NOT OK'
         view.__phash__ = phash.hexdigest()
@@ -585,7 +585,7 @@ def newview(context, request):
         self.assertEqual(wrapper(None, request), 'OK')
 
     def test_add_view_exc_same_phash_overrides_existing_single_view(self):
-        from hashlib import md5
+        from hashlib import sha256
         from zope.interface import implementedBy
 
         from pyramid.interfaces import (
@@ -596,7 +596,7 @@ def test_add_view_exc_same_phash_overrides_existing_single_view(self):
         )
         from pyramid.renderers import null_renderer
 
-        phash = md5()
+        phash = sha256()
         phash.update(b'xhr = True')
         view = lambda *arg: 'NOT OK'
         view.__phash__ = phash.hexdigest()

From 4fc143bee86125b290b4ed2a9e8860d7a428230b Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Sun, 28 Jan 2024 23:18:47 -0700
Subject: [PATCH 2/2] add changelog for #3745

---
 CHANGES.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGES.rst b/CHANGES.rst
index 023ce3fe6..480ebe83c 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -26,6 +26,8 @@ Features
   is not a security-related feature and is considered an implementation detail
   that should not impact users.
 
+  See https://github.com/Pylons/pyramid/pull/3745
+
 Bug Fixes
 ---------