Open
Description
I noticed the default cache key generator hashes the arguments using MD5. This can give collisions between two different function arguments, returning the wrong cached response. I think the MD5 hashing should be removed, and a caveat in the documentation that older versions can cause collisions in rare natural cases and with specially crafted arguments.
Specifically in one codebase I was working with, I realized this was being used in a secure context where a user -> permission lookup was being cached for faster authentication. The function signature contained user controllable values, like HTTP referrer. So an attacker could specially select the HTTP referrer value to give an MD5 collision with a super user's cached response.
Metadata
Metadata
Assignees
Labels
No labels