[wp-trac] [WordPress Trac] #62005: Enhance wp_hash function to support custom hashing algorithms

WordPress Trac noreply at wordpress.org
Sat Sep 7 07:10:42 UTC 2024 

#62005: Enhance wp_hash function to support custom hashing algorithms
-----------------------------+-----------------------------
 Reporter:  pushpenderindia  |      Owner:  (none)
     Type:  enhancement      |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Security         |    Version:  trunk
 Severity:  normal           |   Keywords:  has-patch
  Focuses:  privacy          |
-----------------------------+-----------------------------
 Currently In `wp_hash` function, it has hardcoded the hashing algorithm
 i.e. `md5`, but as we know, that md5 is an unsecure algorithm & is
 `vulnerable to collision attacks`.

 So the aim of this PR is to enhance the `wp_hash` function, so that user
 can supply secure custom hashing algorithm such as `sha256`, while they
 were building Plugins or Themes.

 If the `$algo` argument is not supplied then it should fallback to `md5`,
 just to support backward compatibility.

 Following are some more details about this new feature enhancement:

 **Summary**
 This PR updates the wp_hash function to allow users to specify a custom
 hashing algorithm, enhancing the security and flexibility of the function.
 Previously, the function hardcoded the md5 algorithm, which is vulnerable
 to collision attacks.

 **Changes:
 **
 Added a new parameter $algo to the wp_hash function, allowing users to
 specify the hashing algorithm.
 The default remains md5 for backward compatibility.
 Implemented a check using hash_hmac_algos() to ensure the provided
 algorithm is supported. If not, the function will fall back to md5.

 **Benefits:
 **
 Users can now choose more secure hashing algorithms like sha256.
 Improved security by allowing the use of modern, collision-resistant
 hashing algorithms.


 **Backward Compatibility:
 **
 The function retains md5 as the default algorithm, ensuring backward
 compatibility with existing code.

 **Testing:
 **
 Tested with various algorithms (md5, sha256, sha512) to confirm correct
 functionality.
 Validated fallback to md5 when an unsupported algorithm is provided.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62005>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list