Switches from MD5 to SHA256 when computing the hash for gravatar URL (#40652).

git-svn-id: https://svn.redmine.org/redmine/trunk@22802 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/lib/plugins/gravatar/lib/gravatar.rb b/lib/plugins/gravatar/lib/gravatar.rb
index ea4a37cb5a0c311d7e04017d3e6d14c733fad369..4dc27db52b6b827076e3a4b0e37f6a33e855fe31 100644 (file)
--- a/lib/plugins/gravatar/lib/gravatar.rb
+++ b/lib/plugins/gravatar/lib/gravatar.rb
@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'digest/md5'
 require 'cgi'
 
 module GravatarHelper
@@ -65,7 +64,7 @@ module GravatarHelper
 
     # Return the gravatar URL for the given email address.
     def gravatar_url(email, options={})
-      email_hash = Digest::MD5.hexdigest(email)
+      email_hash = Digest::SHA256.hexdigest(email)
       options = DEFAULT_OPTIONS.merge(options)
       options[:default] = CGI::escape(options[:default]) unless options[:default].nil?
       gravatar_api_url(email_hash).tap do |url|

diff --git a/test/helpers/avatars_helper_test.rb b/test/helpers/avatars_helper_test.rb
index 03a4b1ea1385c03152153ca829ef4e3fa8220d33..06c4d59931356438dbffef75ea9c82c6019e916f 100644 (file)
--- a/test/helpers/avatars_helper_test.rb
+++ b/test/helpers/avatars_helper_test.rb
@@ -31,11 +31,11 @@ class AvatarsHelperTest < Redmine::HelperTest
   end
 
   def test_avatar_with_user
-    assert_include Digest::MD5.hexdigest('jsmith@somenet.foo'), avatar(User.find_by_mail('jsmith@somenet.foo'))
+    assert_include Digest::SHA256.hexdigest('jsmith@somenet.foo'), avatar(User.find_by_mail('jsmith@somenet.foo'))
   end
 
   def test_avatar_with_email_string
-    assert_include Digest::MD5.hexdigest('jsmith@somenet.foo'), avatar('jsmith <jsmith@somenet.foo>')
+    assert_include Digest::SHA256.hexdigest('jsmith@somenet.foo'), avatar('jsmith <jsmith@somenet.foo>')
   end
 
   def test_avatar_with_anonymous_user