[wp-trac] [WordPress Trac] #20074: Attempt MD5 checksum verification in upgrader if available
WordPress Trac
noreply at wordpress.org
Sun Sep 15 06:11:02 UTC 2013
#20074: Attempt MD5 checksum verification in upgrader if available
--------------------------------------------+------------------
Reporter: sivel | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 3.7
Component: Upgrade/Install | Version: 2.8
Severity: normal | Resolution:
Keywords: has-patch commit needs-testing |
--------------------------------------------+------------------
Comment (by rmccue):
Replying to [comment:15 dd32]:
> Correct, It's not handled at present as it was modelled on the previous
(incorrect) implementation.
>
> The check would need to change to
> {{{
> $md5_file = md5_file( $tmpfname );
> $content_md5 = bin2hex( base64_decode( $content_md5 ) );
> if ( $md5_file != $content_md5 ) {
> ...
> }}}
I believe this should actually be `md5_file( $tmpfname, true )` to get the
MD5 as raw binary data. It's also worth noting that although some servers
use base64 encoding as per the specification, many don't. IMO, we should
check the base64'd version first, then do the current check.
Also, can we split this into a separate function please? The REST API
needs to do these checks too, and it'd be nice to have it in a function
like `wp_md5_check( $filename, $header_value )` that can handle both
base64'd and non-encoded.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20074#comment:16>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list