[wp-trac] [WordPress Trac] #20074: Attempt MD5 checksum verification in upgrader if available

WordPress Trac noreply at wordpress.org
Sun Sep 15 06:11:02 UTC 2013


#20074: Attempt MD5 checksum verification in upgrader if available
--------------------------------------------+------------------
 Reporter:  sivel                           |       Owner:
     Type:  task (blessed)                  |      Status:  new
 Priority:  normal                          |   Milestone:  3.7
Component:  Upgrade/Install                 |     Version:  2.8
 Severity:  normal                          |  Resolution:
 Keywords:  has-patch commit needs-testing  |
--------------------------------------------+------------------

Comment (by rmccue):

 Replying to [comment:15 dd32]:
 > Correct, It's not handled at present as it was modelled on the previous
 (incorrect) implementation.
 >
 > The check would need to change to
 > {{{
 > $md5_file = md5_file( $tmpfname  );
 > $content_md5 = bin2hex( base64_decode( $content_md5 ) );
 > if ( $md5_file != $content_md5 ) {
 >  ...
 > }}}

 I believe this should actually be `md5_file( $tmpfname, true )` to get the
 MD5 as raw binary data. It's also worth noting that although some servers
 use base64 encoding as per the specification, many don't. IMO, we should
 check the base64'd version first, then do the current check.

 Also, can we split this into a separate function please? The REST API
 needs to do these checks too, and it'd be nice to have it in a function
 like `wp_md5_check( $filename, $header_value )` that can handle both
 base64'd and non-encoded.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/20074#comment:16>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list