-
Notifications
You must be signed in to change notification settings - Fork 153
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
attachment: Use SHA-256 instead of SHA-1
Overwriting an existing attachment file maliciously is possible since Yona uses SHA-1 algorithm, which is known to be shattered[1], to digest the contents to generate the names of the attachment files. This fix ensures backward compatibility. Only new attachments have filenames generated by SHA-256 algorithm. Fortunately, the length of 'name' column of 'attachment' table is 255 which is enough to store SHA-256 which requires 64. [1]: https://shattered.it/
- Loading branch information
1 parent
fb97b51
commit 21651f7
Showing
1 changed file
with
7 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters