vendor package issues #6619
Comments
|
Can you elaborate how a collision on a cache key is a possible security threat? |
|
In theory, two queries may produce the same hash (regardless of the hashing algorithm) and thus, the caller of one query may get access to the results produced by another. From the security-related static analysis standpoint, a proper fix would be eliminate hashing of the query in the cash and use the full query and parameters as the key. For instance, in the case of array-backed cash, PHP internally will hash the key but it will also compare the values during array access to avoid collisions. As for all other backends, there may be natural limitations to their key lengths, so again, a theoretically correct solution would be to implement a hash table that would map the queries and their parameters to the external cache key but also would properly handle hash collisions. At this point, it doesn't look like a practical problem, so I don't think we need to make any changes in the library. |
Hi,
we face security issue.. need for solution..
issue detail given below
package name : Doctrine DBAL
Package link : https://github.com/doctrine/dbal
issue description :
line numbers :
a) vendor/doctrine/dbal/src/Cache/QueryCacheProfile.php:130
solution need like this : It is recommended to avoid using SHA-1 for hashing. Instead, opt for stronger hashing algorithms such as SHA-256 to enhance security.
thanks
The text was updated successfully, but these errors were encountered: