change hash quick to throw when numIterations > 1 instead of logging

Description

None

Activity

Michael Offner 
31 March 2023 at 08:12

sure we can do that, but i see no real benefit in this

doc for it

“Generates a 16-character, hexadecimal string. This algorithm provides fast hashing but offers no cryptographic security.”

i added this option because hash is used a lot to just create a short key of a longer string for internal use with no security in mind. so have the option to make it more secure not really is a goal.

i would guess myself, nobody really cares about this in real life, but sure we can also do it that way.

Brad Wood 
17 February 2023 at 18:47

No response to my concerns at all? We've thrown the baby out with the bathwater here. Why not just implement the iterations so the function does what it says it does?

Michael Offner 
16 February 2023 at 15:20

atm “quick” simply ignores “numIterations“ and that should not be the case, because people then assume that the function does something it does not, also “quick“ is not an algorithms, so it is a part from the algorithms anyway.

Brad Wood 
17 August 2022 at 18:28

I don’t agree with this. It may not seem to make sense, but on its face, the hash function

  • supports several algorithms

  • lets you iterate over your choice of algorithm

Whether Lucee thinks it makes a great deal of sense to iterate over a given algorithm is really none of its concern. The security implications just need to be documented and let the user do what they want. There could be valid reasons to use a dummy algorithm, which may be configurable for quick performance on a dev server. I think this is being “too clever”.

Zac Spitzer 
17 August 2022 at 18:05

Details

Assignee

Reporter

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Priority

Created 17 August 2022 at 16:34
Updated 1 July 2023 at 15:37