https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292017-03-02T03:47:46ZRedmineRedmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=770252017-03-02T03:47:46ZGo MAEDA
<ul><li><strong>Blocks</strong> <i><a class="issue tracker-3 status-5 priority-4 priority-default closed" href="/issues/25215">Patch #25215</a>: Re-use existing identical disk files for new attachments</i> added</li></ul> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=770272017-03-02T04:46:31ZGo MAEDA
<ul></ul><p>Thanks for the patch.<br />But I encountered the following error while running "rake redmine:attachments:update_digest_to_sha256" on my test environment.</p>
<pre>
rake aborted!
Errno::ENOENT: No such file or directory @ rb_sysopen - /Users/maeda/redmines/redmine-trunk/files/2006/07/060719210727_error281.txt
</pre>
<p>I think that Attachment#update_digest_to_sha256! should simply ignore the record if the corresponding file for the record is not exists.</p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=770302017-03-02T06:17:43ZJens Krämerjk@jkraemer.net
<ul><li><strong>File</strong> <a href="/attachments/17847">0002-adds-a-rake-task-to-convert-the-digests-of-existing-.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/17847/0002-adds-a-rake-task-to-convert-the-digests-of-existing-.patch">0002-adds-a-rake-task-to-convert-the-digests-of-existing-.patch</a> added</li></ul><p>Yes. Here's the updated patch no. 2 with the <code>readable?</code> check added.</p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=770332017-03-02T12:47:04ZGo MAEDA
<ul><li><strong>File</strong> <a href="/attachments/17849">add-algorithm-name.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/17849/add-algorithm-name.png">add-algorithm-name.png</a> added</li></ul><p>Jens Krämer wrote:</p>
<blockquote>
<p>Yes. Here's the updated patch no. 2 with the <code>readable?</code> check added.</p>
</blockquote>
<p>Thanks, now it works fine for me.</p>
<p>I have a suggestion. What about adding "MD5: " or "SHA256: " before hash values in app/views/files/index.html.erb? In the current implementation, it is a little bit difficult for users to know what hash algorithm is used to calculate the checksum.</p>
<pre><code class="diff syntaxhl"><span class="gh">diff --git a/app/views/files/index.html.erb b/app/views/files/index.html.erb
index 05fe37a..f111744 100644
</span><span class="gd">--- a/app/views/files/index.html.erb
</span><span class="gi">+++ b/app/views/files/index.html.erb
</span><span class="p">@@ -31,7 +31,7 @@</span>
<td class="created_on"><%= format_time(file.created_on) %></td>
<td class="filesize"><%= number_to_human_size(file.filesize) %></td>
<td class="downloads"><%= file.downloads %></td>
<span class="gd">- <td class="digest"><%= file.digest %></td>
</span><span class="gi">+ <td class="digest"><%= file.digest.size < 64 ? "MD5" : "SHA256" %>: <%= file.digest %></td>
</span> <td class="buttons">
<%= link_to(image_tag('delete.png'), attachment_path(file),
:data => {:confirm => l(:text_are_you_sure)}, :method => :delete) if delete_allowed %>
</code></pre>
<p><img src="https://www.redmine.org/attachments/download/17849/add-algorithm-name.png" alt="" /></p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=770502017-03-03T04:55:44ZJens Krämerjk@jkraemer.net
<ul></ul><p>Yes, that makes sense. The check for length of the digest to find out which it is isn't particularly nice (I know I did the same in my query for finding the attachments to upgrade) but I'm still not sure adding the hashing algorithm as a field to the Attachment model is any better. Maybe we could have a method named <code>Attachment#digest_type</code> to at least clean up the view?</p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=770512017-03-03T05:05:59ZGo MAEDA
<ul></ul><p>Jens Krämer wrote:</p>
<blockquote>
<p>Maybe we could have a method named <code>Attachment#digest_type</code> to at least clean up the view?</p>
</blockquote>
<p>Yes, absolutely agree.</p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=770792017-03-03T20:42:48ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Target version</strong> set to <i>3.4.0</i></li></ul> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=772362017-03-11T23:57:34ZJens Krämerjk@jkraemer.net
<ul><li><strong>File</strong> <a href="/attachments/17890">0003-change-MD5-table-header-to-Checksum.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/17890/0003-change-MD5-table-header-to-Checksum.patch">0003-change-MD5-table-header-to-Checksum.patch</a> added</li></ul><p>here's the updated patch 3 showing the digest used for each file in the files list</p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=776952017-04-03T11:48:35ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Assignee</strong> set to <i>Jean-Philippe Lang</i></li></ul><p>Patches are committed, thanks Jens. I've made a few changes to the patches and changed the fixture used in the test to a binary file (possible failure due to \r\n EOLs).</p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=1022492021-04-26T22:08:47ZShane Coles
<ul></ul><p>I know this issue is really old at this point, but if anyone is still watching it by chance I could use some help. I am migrating a Redmine server to a FIPS validated server and running into issues because of the MD5 validation. I found this issue and it sounds like it could solve the problem. Unfortunately when I tried to run the Patches, it prompted me for which files I would like patched, and the answer is that I do now know. <br />If these patches can make it so that Redmine attachments/repos can be viewed on a FIPS server that would be great, and any instructions to that end would also be nice.<br />Thanks!</p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=1022502021-04-26T23:11:56ZPavel Rosický
<ul></ul><p>IIRC, even require 'digest/md5' is a problem on FIPS.</p>
<p>but Redmine use it in many other places<br /><a class="external" href="https://github.com/redmine/redmine/search?q=require+%27digest%2Fmd5%27">https://github.com/redmine/redmine/search?q=require+%27digest%2Fmd5%27</a></p>
<p>it's usually for cache keys calculations or gravatars, which is safe from a security perspective, but since the algorithm itself isn't allowed, the app won't work.</p>
<p>try to replace these occurrences with a different algorithm, but it may introduce incompatibilities. Do you know a way how to reliably test it? (I don't have a FIPS SW available)</p>
<p>you should open a new ticket if you want to discuss further since this one is already closed.</p> Redmine - Patch #25240: Use SHA256 for attachment digest computationhttps://www.redmine.org/issues/25240?journal_id=1022512021-04-26T23:20:25ZShane Coles
<ul></ul><p>Thanks for the response. I will open a new ticket. I'm not a server expert at all, we've just always had this and I need to move it and ran into this. Hopefully someone on the new ticket will know how to do it.</p>