[TYPO3-core] RFC: #10201: Duplicate cHash Values
Francois Suter
fsu-lists at cobweb.ch
Mon Aug 31 22:57:22 CEST 2009
Hi,
> This is an SVN patch request
>
> Type: Bug
> Branches: trunk
> BT Reference: http://bugs.typo3.org/view.php?id=10201
I discussed this RFC with Michael Stucki tonight and we looked at the
various issues that were raised lately.
First off was the thing with the indexed search. The attached v2 of the
patch introduces the usage of full md5 hashes in the indexed search too.
I have tested this in conjunction with the crawler extension and
couldn't observe any adverse effects. Right after posting this I will
send a mail to Dan Pötzinger (who now maintains the crawler), but I
don't think there's really any impact. The crawler just calls whatever
code the indexed search registered for execution, so it doesn't care
what that code does internally.
About the issue with Google reference, I think this is really minor and
Michael agrees on that. Google will refresh the URLs in a few days. And
anyway if you really care about referencing, you should use speaking
URLs and not show the cHash.
Lastly there's the worry about being able to recalculate the md5 hash
and extract the encriptionKey. Indeed the encryption is part of the
array that's serialized and then hashed to create the cHash. This
inclusion adds randomness to the hash. Because of this it is highly
unlikely that the md5 hash can be successfully cracked and the
encryption key recovered. However Michael will still ask the security
team what they think about it.
Cheers
--
Francois Suter
Cobweb Development Sarl - http://www.cobweb.ch
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 10201_v2.patch
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20090831/47e5c17b/attachment.txt
More information about the TYPO3-team-core
mailing list