From ce19471f180d764bbcf5990dea5f60d4cd217dc7 Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Sat, 30 Apr 2022 13:52:23 -0400
Subject: Add comments around non-security-related uses of MD5

---
 libqpdf/QPDFEFStreamObjectHelper.cc | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libqpdf')

diff --git a/libqpdf/QPDFEFStreamObjectHelper.cc b/libqpdf/QPDFEFStreamObjectHelper.cc
index 5810cf37..cbfe47a3 100644
--- a/libqpdf/QPDFEFStreamObjectHelper.cc
+++ b/libqpdf/QPDFEFStreamObjectHelper.cc
@@ -139,6 +139,8 @@ QPDFEFStreamObjectHelper::newFromStream(QPDFObjectHandle stream)
     stream.getDict().replaceKey(
         "/Type", QPDFObjectHandle::newName("/EmbeddedFile"));
     Pl_Discard discard;
+    // The PDF spec specifies use of MD5 here and notes that it is not
+    // to be used for security. MD5 is known to be insecure.
     Pl_MD5 md5("EF md5", &discard);
     Pl_Count count("EF size", &md5);
     if (!stream.pipeStreamData(&count, nullptr, 0, qpdf_dl_all)) {
-- 
cgit v1.2.3-70-g09d2