Check security hash before accepting downloaded files.
Fixes #7 in the simplest possible way. The current code will ignore any files with a different security hash from the one given by the developer. When ignoring, it emits a message warning of a potentially malicious content. It will also always emit a message when a downloaded file passes the security hash check.
This commit is contained in:
parent
2e7694b89d
commit
daee3bf493
2 changed files with 47 additions and 39 deletions
2
cachep2p.min.js
vendored
2
cachep2p.min.js
vendored
File diff suppressed because one or more lines are too long
10
index.js
10
index.js
|
@ -129,8 +129,15 @@ function CacheP2P(opts, callback){
|
||||||
// debug(b)
|
// debug(b)
|
||||||
// debug(b.toString('utf8'))
|
// debug(b.toString('utf8'))
|
||||||
var got_page = JSON.parse(b.toString('utf8'))
|
var got_page = JSON.parse(b.toString('utf8'))
|
||||||
// self.emit('message', "Got cached version of "+got_page.url+" from web peer, modifying link to point to cache.")
|
// self.emit('message', "Got cached version of "+got_page.url+" from web peer, checking security hash.")
|
||||||
|
|
||||||
|
sha(got_page.page, function (page_hash) {
|
||||||
|
if (page_hash != self.security_sha1[got_page.url]) {
|
||||||
|
self.emit('message', 'Cached version of ' + got_page.url + ' has wrong security hash. This is possibly malicious content! Ignoring the version obtained.');
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
self.emit('message', 'Cached version of ' + got_page.url + ' has a verified security hash! Proceeding by changing links in page.');
|
||||||
cached_link_lists[got_page.url] = got_page
|
cached_link_lists[got_page.url] = got_page
|
||||||
self.update_links()
|
self.update_links()
|
||||||
|
|
||||||
|
@ -157,6 +164,7 @@ function CacheP2P(opts, callback){
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
});
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue