Bug #1710

mod_secdownload MD5 compare should not be case sensitive

Added by Anonymous over 6 years ago. Updated about 6 years ago.

Status:FixedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:mod_secdownload
Target version:1.5.0
Missing in 1.5.x:

Description

In mod_secure_download.c you check on line 143 (int is_hex_len) for a
valid case insensitive MD5. So far so good. Later in 306 there is a
strncmp (case sensitive compare) to the generated (lower case) MD5.
Unfortunatly we used uppercase MD5 so now we have to use mod_rewrite.
MD5 is a hex str so it should be no matter whether the input is lower or
upper case. So please use strncasecmp or transform the input to lower case

  1. tail /var/log/lighttpd/error.log
    2008-07-02 13:57:42: (mod_secure_download.c.273) md5 invalid:
    B382E117AFE4B8F68CCF7F53364AD9FC/486B6D31/1395698/caesariv_update_de_10_12.exe
    b382e117afe4b8f68ccf7f53364ad9fc

sincerly Jan Michalowsky

-- sejamich

History

#1 Updated by stbuehler about 6 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Fixed in r2251 and r2252 for 1.4 and 1.5

Also available in: Atom