Merge pull request #7906 from EricSoroos/7768_md5

Note that MD5 Hash is not used for security purposes
ckan · Nov 16, 2023 · e2e5de2 · e2e5de2
2 parents 7c3d085 + ae2ccc6
commit e2e5de2
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/changes/7906.misc b/changes/7906.misc
@@ -0,0 +1 @@
+Note that md5 use in tracking is not a security context
diff --git a/ckanext/tracking/middleware.py b/ckanext/tracking/middleware.py
@@ -27,7 +27,9 @@ def track_request(response: Response) -> Response:
             request.environ.get('HTTP_ACCEPT_LANGUAGE', ''),
             request.environ.get('HTTP_ACCEPT_ENCODING', ''),
         ])
-        key = hashlib.md5(key.encode()).hexdigest()
+        # raises a type error on python<3.9
+        h = hashlib.new('md5', usedforsecurity=False)  # type: ignore
+        key = h.update(key.encode()).hexdigest()
         # store key/data here
         sql = '''INSERT INTO tracking_raw
                     (user_key, url, tracking_type)