Opened 5 years ago
Closed 5 years ago
#184 closed defect (invalid)
mod_secdownload MD5 compare should not be case sensitive
| Reported by: | sejamich@… | Owned by: | moo |
|---|---|---|---|
| Priority: | major | Milestone: | 1.3.0 |
| Component: | cacher | Version: | 1.2.1 |
| Keywords: | Cc: | ||
| Application: | PHP Version: | ||
| Other Exts: | SAPI: | Irrelevant | |
| Probability: | Blocked By: | ||
| Blocking: |
Description
Sry, for crossposting ...
In mod_secure_download.c you check on line 143 (int is_hex_len) for a
valid case insensitive MD5. So far so good. Later in 306 there is a
strncmp (case sensitive compare) to the generated (lower case) MD5.
Unfortunatly we used uppercase MD5 so now we have to use mod_rewrite and MD5 is a hex str so it should be no matter whether the input is lower or upper case.
So please use strncasecmp or transform the input to lower case
# tail /var/log/lighttpd/error.log
2008-07-02 13:57:42: (mod_secure_download.c.273) md5 invalid:
B382E117AFE4B8F68CCF7F53364AD9FC/486B6D31/1395698/caesariv_update_de_10_12.exe
b382e117afe4b8f68ccf7f53364ad9fc
Change History (1)
comment:1 Changed 5 years ago by moo
- Resolution set to invalid
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
wrong trac, visit lighttpd trac for lighttpd issue