Replace hashlib.md5() with hashlib.blake2b()

It is faster, and more secure.
zas · Sep 19, 2023 · cbfc90f · cbfc90f
1 parent a12aa45
commit cbfc90f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/picard/coverart/image.py b/picard/coverart/image.py
@@ -28,7 +28,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 
 
-from hashlib import md5
+from hashlib import blake2b
 import os
 import shutil
 import tempfile
@@ -77,9 +77,7 @@ def __init__(self, data, prefix='picard', suffix=''):
         self._filename = None
         _datafile_mutex.lock()
         try:
-            m = md5()  # nosec
-            m.update(data)
-            self._hash = m.hexdigest()
+            self._hash = blake2b(data).hexdigest()
             if self._hash not in _datafiles:
                 (fd, self._filename) = tempfile.mkstemp(prefix=prefix, suffix=suffix)
                 QObject.tagger.register_cleanup(self.delete_file)

diff --git a/picard/tagger.py b/picard/tagger.py
@@ -47,7 +47,7 @@
 
 import argparse
 from functools import partial
-from hashlib import md5
+from hashlib import blake2b
 import logging
 import os
 import platform
@@ -1532,8 +1532,12 @@ def main(localedir=None, autoupdate=True):
     if picard_args.stand_alone_instance:
         identifier = uuid4().hex
     else:
-        identifier = md5(picard_args.config_file.encode('utf8')).hexdigest() if picard_args.config_file else 'main'  # nosec: B303
-        identifier += '_NP' if picard_args.no_plugins else ''
+        if picard_args.config_file:
+            identifier = blake2b(picard_args.config_file.encode('utf8'), digest_size=16).hexdigest()
+        else:
+            identifier = 'main'
+        if picard_args.no_plugins:
+            identifier += '_NP'
 
     if picard_args.processable:
         log.info("Sending messages to main instance: %r", picard_args.processable)