-
Notifications
You must be signed in to change notification settings - Fork 879
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace MD5 usage for predicates, DEFAULT_PHASH #3668
Comments
This usage has no bw-compat concerns. I would accept a pr that changed it to something with a focus on speed and reduced collisions. It is not a security-related feature at all so sha256 would work but is likely less performant than some other options that would work here. |
Why do we use a hash at all, rather than a full tuple, like we do for discriminators? |
I don't know why we're using the hash historically. The requirements afaik (off the top of my head) are 1) serializable and 2) comparable for equality. It's used to find duplicate views. |
Additionally, since Python 3.9 it should be possible to supply |
Feature Request
pyramid.config.predicates uses hashlib.md5
While this MD5 usage isn't security related, MD5 usage is deprecated. It triggers security warnings for scanners, and isn't available in FIPS environment.
Describe the solution you'd like
Use a different algorithm, such as SHA256 or SHA512.
Describe alternatives you've considered
Additional context
https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
The text was updated successfully, but these errors were encountered: