Opened 12 years ago

Closed 12 years ago

#184 closed defect (invalid)

mod_secdownload MD5 compare should not be case sensitive

Reported by: sejamich@… Owned by: moo
Priority: major Milestone: 1.3.0
Component: cacher Version: 1.2.1
Keywords: Cc:
Application: PHP Version:
Other Exts: SAPI: Irrelevant
Probability: Blocked By:


Sry, for crossposting ...
In mod_secure_download.c you check on line 143 (int is_hex_len) for a
valid case insensitive MD5. So far so good. Later in 306 there is a
strncmp (case sensitive compare) to the generated (lower case) MD5.
Unfortunatly we used uppercase MD5 so now we have to use mod_rewrite and MD5 is a hex str so it should be no matter whether the input is lower or upper case.
So please use strncasecmp or transform the input to lower case

# tail /var/log/lighttpd/error.log
2008-07-02 13:57:42: (mod_secure_download.c.273) md5 invalid:

Change History (1)

comment:1 Changed 12 years ago by moo

  • Resolution set to invalid
  • Status changed from new to closed

wrong trac, visit lighttpd trac for lighttpd issue

Note: See TracTickets for help on using tickets.