Timothee Maret created SLING-6638:
-------------------------------------
Summary: Vault Package Builder should not allow SHA1, MD5 digest
algorithm
Key: SLING-6638
URL: https://issues.apache.org/jira/browse/SLING-6638
Project: Sling
Issue Type: Bug
Components: Content Distribution
Affects Versions: Content Distribution Core 0.2.6
Reporter: Timothee Maret
Fix For: Content Distribution Core 0.2.8
The {{VaultDistributionPackageBuilderFactory} [0] proposes the MD5, MD2 and
SHA-1 algorithms, for which collisions could realistically be forged.
SCD makes use of those algorithm for error detection (like a CRC) and not for
security. Despite that, we should deprecate the use of those algorithms IMO.
I propose to remove the three algorithms form the list of proposals, and throw
and exception if a non supported algorithm is used. The component end up not
being activated unless the configuration is corrected.
[0]
https://github.com/apache/sling/blob/trunk/contrib/extensions/distribution/core/src/main/java/org/apache/sling/distribution/serialization/impl/vlt/VaultDistributionPackageBuilderFactory.java#L191-L193
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
