https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292021-05-07T13:14:53ZRedmineRedmine - Patch #35217: Replace use of Digest::MD5 / Digest::SHA1 with ActiveSupport::Digesthttps://www.redmine.org/issues/35217?journal_id=1023642021-05-07T13:14:53ZPavel Rosický
<ul></ul><p>thanks for working on this!</p>
<p>however, the OpenID change isn't safe. The SHA1 algorithm is hardcoded here and your change will break it.<br /><a class="external" href="https://github.com/redmine/redmine/blob/49e323ae7af2998fc2785319643a9ac5bc93c425/lib/plugins/open_id_authentication/test/mem_cache_store_test.rb#L126">https://github.com/redmine/redmine/blob/49e323ae7af2998fc2785319643a9ac5bc93c425/lib/plugins/open_id_authentication/test/mem_cache_store_test.rb#L126</a></p>
<p><a class="external" href="https://github.com/openid/ruby-openid">https://github.com/openid/ruby-openid</a> do support SHA256, maybe add an option to choose it? It has to be a separate option, it can't depend on Rails.application.config.active_support.hash_digest_class</p>
<p>the second missing part is gravatars <a class="external" href="https://github.com/redmine/redmine/blob/master/lib/plugins/gravatar/lib/gravatar.rb#L68">https://github.com/redmine/redmine/blob/master/lib/plugins/gravatar/lib/gravatar.rb#L68</a><br />as discussed in <a class="external" href="https://www.redmine.org/boards/2/topics/65253">https://www.redmine.org/boards/2/topics/65253</a> I don't think there's a way to support this feature without MD5, so if the digest isn't available, the feature has to be disabled.</p>