Closed modem7 closed 11 months ago
Thanks for noticing. The hash is not used for security, only to create the ID. The worse that can happen is somebody investing tremendous amount of power to create a collision est erase an existing paste.
I don't think it's a very urgent or likely concern. I'll let the issue open though, as it would be backward compatible to make it use sha256, so we can always do it in a future release.
Heya,
I just forked the project to do some work with Docker, and Snyk came back with the following in zerobin/paste.py:
[hashlib.sha1]() is insecure. Consider changing it to a secure hashing algorithm (e.g. SHA256).
Whether this is a concern or already known, I'm unsure, but thought I'd flag it regardless!
Please close if not a concern.
Cheers!