简体繁体 English

phpspreadsheet使用MD5哈希

[英]phpspreadsheet use of the MD5 hashing

原文 2018-12-06 14:28:45 7 2 php/ phpexcel/ phpspreadsheet/ phpoffice

This question is for the developers of phpexcel/phpspreadsheet. 此问题适用于phpexcel / phpspreadsheet的开发人员。

We are currently using the library on our website to generate excel files (obviously) and are currently in the process of getting SOC2 certified; 我们目前正在使用我们网站上的库来生成excel文件（显然），并且目前正在获得SOC2认证； which requires us to run all our code and third party code into a security scanner. 这要求我们将所有代码和第三方代码运行到安全扫描器中。

The scanner returns 36 vulnerabilities all of which are "Use of a Broken or Risky Cryptographic Algorithm"; 扫描程序返回36个漏洞，所有漏洞均为“使用损坏的或有风险的密码算法”； as a result of simply using the MD5 function call. 由于仅使用了MD5函数调用。

So my question is why are the hashing using MD5 and why are we hashing it? 所以我的问题是为什么要使用MD5进行哈希处理，为什么还要对其进行哈希处理呢？ If I can better understand what's going on I can try changing the hashing mechanism or at least explain why it really isn't a security risk. 如果我能更好地了解发生了什么，我可以尝试更改哈希机制，或者至少解释一下为什么它确实不是安全隐患。

2 个解决方案

I am not one of the developers of phpspreadsheet but I have some observations on how it is using the md5 function. 我不是phpspreadsheet的开发人员之一，但是我对它如何使用md5函数有一些观察。

IMO, the reported vulnerabilities are false positives. IMO，报告的漏洞是误报。 It is true that using md5() for securing data (particularly passwords) is not appropriate. 确实，使用md5()来保护数据（尤其是密码）是不合适的。 But there are other uses for a hash value besides security It seems the code scan assumes md5 is being used for cryptographic purposes. 但是除了安全性之外，哈希值还有其他用途。似乎代码扫描假定md5用于加密目的。 It is not. 它不是。

Just take a look at the source code to see where md5() is used. 只需看一下源代码，看看在哪里使用了md5() 。 Primarily, it's used to create a hash of objects with multiple property values so that it's easy to compare objects and all their property values. 首先，它用于创建具有多个属性值的对象的哈希，以便轻松比较对象及其所有属性值。 I did not find any use of it that involved a password or other security-related task. 我没有发现它涉及密码或其他与安全相关的任务。

Style objects (ie borders, colors, alignment, etc) are a common target for md5 hashing. 样式对象（即边框，颜色，对齐方式等）是md5哈希的常见目标。 Consider a "border" object. 考虑一个“边界”对象。 It's a lot easier to compare the hash of combined top, right, bottom, left, and diagonal values than to walk through properties one at a time to compare values with the same property in another object. 比较上，右，下，左和对角线组合值的哈希值要比一次遍历属性以比较另一个对象中具有相同属性的值要容易得多。

All that said, I do not claim that phpspreadsheet is cryptographic secure or that every use of md5 is appropriate. 所有这些，我并不是说phpspreadsheet是加密安全的，也不是每次使用md5都是合适的。 I did not examine each and every use of md5. 我没有检查md5的每种用法。 But I think there is a case to be made that the report is not entirely accurate. 但是我认为有理由认为该报告并不完全准确。

As DFriend has already noted, the use of md5() within PHPExcel/PHPSpreadsheet is not (with one exception) being used for cryptographic purposes. 正如DFriend已经指出的那样，PHPExcel / PHPSpreadsheet中的md5()的使用（除了一个例外）并未用于加密目的。 It is used to generate quasi-unique hashes/checksums for quick comparison of object values. 它用于生成准唯一的哈希/校验和，以快速比较对象值。

The one exception to that is for verification of any Xls password, because MS Excel itself uses md5 hashing as part of its password verification. 唯一的例外是验证任何Xls密码，因为MS Excel本身使用md5哈希作为其密码验证的一部分。 For your SOC2 certification, you'd have to take that one up with Microsoft. 对于SOC2认证，您必须与Microsoft一起进行。