[SLING-6638] Vault Package Builder should not allow SHA1, MD5 digest algorithm - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: Content Distribution Core 0.2.6
Fix Version/s: Content Distribution Core 0.2.8
Component/s: Content Distribution
Labels:
None

Description

The VaultDistributionPackageBuilderFactory [0] proposes the MD5, MD2 and SHA-1 algorithms, for which collisions could realistically be forged.

SCD makes use of those algorithm for error detection (like a CRC) and not for security. Despite that, we should deprecate the use of those algorithms IMO.

I propose to remove the three algorithms form the list of proposals, and throw and exception if a non supported algorithm is used. The component end up not being activated unless the configuration is corrected.

[0] https://github.com/apache/sling/blob/trunk/contrib/extensions/distribution/core/src/main/java/org/apache/sling/distribution/serialization/impl/vlt/VaultDistributionPackageBuilderFactory.java#L191-L193

Attachments

Activity

People

Assignee:: Timothee Maret

Reporter:: Timothee Maret

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 13/Mar/17 10:43

Updated:: 07/Jun/17 21:38

Resolved:: 02/Jun/17 09:33