Opened 6 years ago

Closed 6 years ago

#184 closed defect (invalid)

mod_secdownload MD5 compare should not be case sensitive

Reported by: sejamich@… Owned by: moo
Priority: major Milestone: 1.3.0
Component: cacher Version: 1.2.1
Keywords: Cc:
Application: PHP Version:
Other Exts: SAPI: Irrelevant
Probability: Blocked By:
Blocking:

Description

Sry, for crossposting ...
In mod_secure_download.c you check on line 143 (int is_hex_len) for a
valid case insensitive MD5. So far so good. Later in 306 there is a
strncmp (case sensitive compare) to the generated (lower case) MD5.
Unfortunatly we used uppercase MD5 so now we have to use mod_rewrite and MD5 is a hex str so it should be no matter whether the input is lower or upper case.
So please use strncasecmp or transform the input to lower case

# tail /var/log/lighttpd/error.log
2008-07-02 13:57:42: (mod_secure_download.c.273) md5 invalid:
B382E117AFE4B8F68CCF7F53364AD9FC/486B6D31/1395698/caesariv_update_de_10_12.exe
b382e117afe4b8f68ccf7f53364ad9fc

Change History (1)

comment:1 Changed 6 years ago by moo

  • Resolution set to invalid
  • Status changed from new to closed

wrong trac, visit lighttpd trac for lighttpd issue

Note: See TracTickets for help on using tickets.