fix: replace weak hash functions with SHA-256

guan404ming · guan404ming · commit cdfb6e4baf4a · 2026-01-23T11:18:17.000+08:00
diff --git a/pylib/gyp/MSVSNew.py b/pylib/gyp/MSVSNew.py
@@ -34,7 +34,7 @@ def MakeGuid(name, seed="msvs_new"):
 
     Args:
       name: Target name.
-      seed: Seed for MD5 hash.
+      seed: Seed for SHA-256 hash.
     Returns:
       A GUID-line string calculated from the name and seed.
 
@@ -44,8 +44,8 @@ def MakeGuid(name, seed="msvs_new"):
     determine the GUID to refer to explicitly.  It also means that the GUID will
     not change when the project for a target is rebuilt.
     """
-    # Calculate a MD5 signature for the seed and name.
-    d = hashlib.md5((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
+    # Calculate a SHA-256 signature for the seed and name.
+    d = hashlib.sha256((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
     # Convert most of the signature to GUID form (discard the rest)
     guid = (
         "{"
diff --git a/pylib/gyp/generator/make.py b/pylib/gyp/generator/make.py
@@ -2169,7 +2169,7 @@ def WriteMakeRule(
             # - The multi-output rule will have an do-nothing recipe.
 
             # Hash the target name to avoid generating overlong filenames.
-            cmddigest = hashlib.sha1(
+            cmddigest = hashlib.sha256(
                 (command or self.target).encode("utf-8")
             ).hexdigest()
             intermediate = "%s.intermediate" % cmddigest
diff --git a/pylib/gyp/generator/ninja.py b/pylib/gyp/generator/ninja.py
@@ -809,9 +809,10 @@ def cygwin_munge(path):
                 outputs = [self.GypPathToNinja(o, env) for o in outputs]
                 if self.flavor == "win":
                     # WriteNewNinjaRule uses unique_name to create a rsp file on win.
-                    extra_bindings.append(
-                        ("unique_name", hashlib.md5(outputs[0]).hexdigest())
-                    )
+                    unique_name = hashlib.sha256(
+                        outputs[0].encode("utf-8")
+                    ).hexdigest()
+                    extra_bindings.append(("unique_name", unique_name))
 
                 self.ninja.build(
                     outputs,
@@ -2803,7 +2804,7 @@ def GenerateOutputForConfig(target_list, target_dicts, data, params, config_name
             build_file, name, toolset
         )
         qualified_target_for_hash = qualified_target_for_hash.encode("utf-8")
-        hash_for_rules = hashlib.md5(qualified_target_for_hash).hexdigest()
+        hash_for_rules = hashlib.sha256(qualified_target_for_hash).hexdigest()
 
         base_path = os.path.dirname(build_file)
         obj = "obj"
diff --git a/pylib/gyp/xcodeproj_file.py b/pylib/gyp/xcodeproj_file.py
@@ -429,7 +429,7 @@ def _HashUpdate(hash, data):
             hash.update(data)
 
         if seed_hash is None:
-            seed_hash = hashlib.sha1()
+            seed_hash = hashlib.sha256()
 
         hash = seed_hash.copy()
 
