DrupalOAuthClient::signatureMethod defaults to SHA1, not SHA512 [#2861262]

In DrupalOAuthClient, line 44 (in 7.x-3.x-dev), we see the following param descriptor in the docblock:

  /* @param string $method
   *  Optional. The hmac hashing algorithm to use. Defaults to 'sha512' which
   *  has superseded sha1 as the recommended alternative.
   */

but in the actual function signature, we see this:

public static function signatureMethod($method = 'SHA1', $fallback_to_sha1 = TRUE) {

Since SHA1 is considered insecure, should the value of $method not be set to 'SHA512'?

Comment	File	Size	Author
#2	oauth-2861262-2-signatureMethod.patch	1.26 KB	daniel_j

Comments

Comment #1

16 March 2017 at 16:20

daniel_j created an issue. See original summary.

Comment #2

daniel_j commented 17 March 2017 at 19:41

Status	File	Size
new	oauth-2861262-2-signatureMethod.patch	1.26 KB

Comment #3

daniel_j commented 17 March 2017 at 20:27

Status:

Active

» Needs review

Comment #4

daniel_j commented 17 March 2017 at 20:31

Bah, testbot is testing against 8.x, but patch is against 7.x.

DrupalOAuthClient::signatureMethod defaults to SHA1, not SHA512

Comments

Comment #1

Comment #2

Comment #3

Comment #4

News items

Our community

Documentation

Drupal code base

Governance of community