From f6781a29d0f11aa498a3e7f271301aa734f82912 Mon Sep 17 00:00:00 2001 From: Matt Westcott Date: Mon, 24 Apr 2023 15:47:52 +0100 Subject: [PATCH] Revert "Mark calls to md5 as not being used for secure purposes (#10192)" This reverts commit 4dea70250bc2923b826676be6b9187a8107b4a20. --- CHANGELOG.txt | 1 - docs/releases/5.1.md | 2 +- wagtail/coreutils.py | 18 ------------------ wagtail/embeds/embeds.py | 6 ++++-- wagtail/users/utils.py | 8 +++----- 5 files changed, 8 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 3297d39cd6..ad91320fb0 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -4,7 +4,6 @@ Changelog 5.1 (xx.xx.xxxx) - IN DEVELOPMENT ~~~~~~~~~~~~~~~~ - * Mark calls to `md5` as not being used for secure purposes, to avoid flagging on FIPS-mode systems (Sean Kelly) * Fix: Prevent choosers from failing when initial value is an unrecognised ID, e.g. when moving a page from a location where `parent_page_types` would disallow it (Dan Braghis) * Docs: Document how to add non-ModelAdmin views to a `ModelAdminGroup` (Onno Timmerman) * Docs: Document how to add StructBlock data to a StreamField (Ramon Wenger) diff --git a/docs/releases/5.1.md b/docs/releases/5.1.md index df969de5ba..50a0a069a9 100644 --- a/docs/releases/5.1.md +++ b/docs/releases/5.1.md @@ -15,7 +15,7 @@ depth: 1 ### Other features - * Mark calls to `md5` as not being used for secure purposes, to avoid flagging on FIPS-mode systems (Sean Kelly) + * ... ### Bug fixes diff --git a/wagtail/coreutils.py b/wagtail/coreutils.py index fe484d5807..346e6b5834 100644 --- a/wagtail/coreutils.py +++ b/wagtail/coreutils.py @@ -20,7 +20,6 @@ from django.utils.encoding import force_str from django.utils.text import capfirst, slugify from django.utils.translation import check_for_language, get_supported_language_variant from django.utils.translation import gettext_lazy as _ -from hashlib import md5 if TYPE_CHECKING: from wagtail.models import Site @@ -422,23 +421,6 @@ def get_dummy_request(*, path: str = "/", site: "Site" = None) -> HttpRequest: return RequestFactory(SERVER_NAME=server_name).get(path, SERVER_PORT=server_port) -def safe_md5(data=b"", usedforsecurity=True): - """ - Safely use the MD5 hash algorithm with the given ``data`` and a flag - indicating if the purpose of the digest is for security or not. - - On security-restricted systems (such as FIPS systems), insecure hashes - like MD5 are disabled by default. But passing ``usedforsecurity`` as - ``False`` tells the underlying security implementation we're not trying - to use the digest for secure purposes and to please just go ahead and - allow it to happen. - """ - if accepts_kwarg(md5, "usedforsecurity"): - return md5(data, usedforsecurity=usedforsecurity) - else: - return md5(data) - - class BatchProcessor: """ A class to help with processing of an unknown (and potentially very diff --git a/wagtail/embeds/embeds.py b/wagtail/embeds/embeds.py index dbb9eb49b1..60d3b822e6 100644 --- a/wagtail/embeds/embeds.py +++ b/wagtail/embeds/embeds.py @@ -1,8 +1,9 @@ from datetime import datetime +from hashlib import md5 from django.utils.timezone import now -from wagtail.coreutils import accepts_kwarg, safe_md5 +from wagtail.coreutils import accepts_kwarg from .exceptions import EmbedUnsupportedProviderException from .finders import get_finders @@ -65,7 +66,8 @@ def get_embed(url, max_width=None, max_height=None, finder=None): def get_embed_hash(url, max_width=None, max_height=None): - h = safe_md5(url.encode("utf-8"), usedforsecurity=False) + h = md5() + h.update(url.encode("utf-8")) if max_width is not None: h.update(b"\n") h.update(str(max_width).encode("utf-8")) diff --git a/wagtail/users/utils.py b/wagtail/users/utils.py index 6e8dad7e88..55b32fe51c 100644 --- a/wagtail/users/utils.py +++ b/wagtail/users/utils.py @@ -1,10 +1,10 @@ +import hashlib + from django.conf import settings from django.utils.http import urlencode from django.utils.translation import gettext_lazy as _ from wagtail.compat import AUTH_USER_APP_LABEL, AUTH_USER_MODEL_NAME -from wagtail.coreutils import safe_md5 - delete_user_perm = "{0}.delete_{1}".format( AUTH_USER_APP_LABEL, AUTH_USER_MODEL_NAME.lower() @@ -38,11 +38,9 @@ def get_gravatar_url(email, size=50): if (not email) or (gravatar_provider_url is None): return None - email_bytes = email.lower().encode("utf-8") - hashed = safe_md5(email_bytes, usedforsecurity=False).hexdigest() gravatar_url = "{gravatar_provider_url}/{hash}?{params}".format( gravatar_provider_url=gravatar_provider_url.rstrip("/"), - hash=hashed, + hash=hashlib.md5(email.lower().encode("utf-8")).hexdigest(), params=urlencode({"s": size, "d": default}), )