Ditto Richard's comments about false-implications of security, but I'd
also like to add that *IF* folks decide on the whole that this is worth
adding, it should be done more generically than a setting for md5 and a
setting for sha1.
e.g.
<input type="hidden" name="__COMPUTE_HASH" value="md5">
or
<input type="hidden" name="__COMPUTE_HASH" value="sha1">
or
<input type="hidden" name="__COMPUTE_HASH" value="whirlpool">
or whatever hash algo you're looking for. The implementations in
ext/hash can be used and the resulting code in main/rfc1867.c will wind
up being simpler (since you'll be using the unified hash API rather than
the individual md5/sha1 APIs).
If someone (for some reason) has ext/hash disabled (it's
enabled-by-default since 5.1.2), then they just won't get a hash.
That's what package requirements and documentation are for.
-Sara
P.S. - Suggestions aside, I'm -1 on it.
Richard Lynch wrote:
What purpose does this serve, exactly?...
Seems like anybody who can intercept the upload and send bad file data
can also send a matching MD5 for the bad data...
Actually, re-reading the message clarified for me that you're doing
this only to save the time of whatever it would take to do an MD5 for
the file after its uploaded.
Can you PLEASE make 100% certain that this is specifically documented
to NOT be a "Security Feature" and it is NOT intended to indicate
secure transmission of the file?
Cuz I'm betting dollars to donuts that the masses of PHP scripters are
going to immediately mis-use this for that exact purpose...
On Mon, May 7, 2007 6:08 am, David Santinoli wrote:
Hi,
I'm submitting a patch to perform "on the fly" MD5/SHA1 digest
calculation of a file uploaded via the HTTP POST method. Being
not uncommon for applications to require some digest of a freshly
uploaded file, doing the math directly in the buffer where the file is
being read can save some time.
A similar patch was submitted in August 2004 and raised some interest,
but never got merged.
Digest calculation is triggered by setting the special input fields
COMPUTE_MD5 and/or COMPUTE_SHA1 to a non-zero value:
<input type="hidden" name="COMPUTE_SHA1" value="1">
(note that these assignments must precede the
<input type="file" name=...> field, as in the MAX_FILE_SIZE case.)
The result is found in the special variables
$_FILES[userfile]["md5"] and $_FILES[userfile]["sha1"].
These variables are only defined upon request of the corresponding
digest.
The patch was produced against the php6 CVS version of rfc1867.c
(1.190).
Cheers,
David
--
David Santinoli
Tieffe Sistemi S.r.l. viale Piceno 21, Milano
www.tieffesistemi.com tel. +39 02 45490882
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
