Make WordPress Core

Opened 2 months ago

Last modified 2 months ago

#60638 new enhancement

Gravatar: Upgrade md5 hashing algorithm to sha256

Reported by: henrywright's profile henry.wright Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch
Focuses: Cc:

Description

Gravatar now seems to support the sha256 hashing algorithm.

Source https://docs.gravatar.com/general/hash/

Functions such as get_avatar_data() use the old md5 hashing algorithm. That's still supported by Gravatar but considering the md5 string can be reversed, privacy may be impacted in cases where a user's email is obtained from the md5 hash.

Change History (3)

This ticket was mentioned in Slack in #core by henrywright. View the logs.


2 months ago

#2 @swissspidy
2 months ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

This ticket was mentioned in PR #6179 on WordPress/wordpress-develop by @jucaduca.


2 months ago
#3

  • Keywords has-patch added; needs-patch removed

Gravatar is changing the hash algorithm from md5 to sha256.

We currently have support for both, but we know that md5's altarithm is weak.

The function output should change as in the example below:
https://1.gravatar.com/avatar/18301bd96ed0ce394ded59bd34de229a?s=96&d=mm&r=g
to:
https://1.gravatar.com/avatar/397b0d12b48f689fad6730036b75e61fac515b62ed32340d0485fc719e073ae3

Final result:

Before:
https://github.com/WordPress/wordpress-develop/assets/252078/ecd0a845-7c06-4a5a-be08-2cf5fa0a8f3a

After:
https://github.com/WordPress/wordpress-develop/assets/252078/bd22a687-a038-483e-82ad-683e6592007c

Trac ticket: https://core.trac.wordpress.org/ticket/60638

Note: See TracTickets for help on using tickets.