Check security hash before accepting downloaded files.

Fixes #7 in the simplest possible way. The current code will
ignore any files with a different security hash from the one
given by the developer. When ignoring, it emits a message
warning of a potentially malicious content. It will also always
emit a message when a downloaded file passes the security hash
check.
This commit is contained in:
Bernardo Vecchia Stein 2016-10-22 03:01:07 -02:00
parent 2e7694b89d
commit daee3bf493
2 changed files with 47 additions and 39 deletions

2
cachep2p.min.js vendored

File diff suppressed because one or more lines are too long

View file

@ -129,34 +129,42 @@ function CacheP2P(opts, callback){
// debug(b)
// debug(b.toString('utf8'))
var got_page = JSON.parse(b.toString('utf8'))
// self.emit('message', "Got cached version of "+got_page.url+" from web peer, modifying link to point to cache.")
// self.emit('message', "Got cached version of "+got_page.url+" from web peer, checking security hash.")
cached_link_lists[got_page.url] = got_page
self.update_links()
sha(got_page.page, function (page_hash) {
if (page_hash != self.security_sha1[got_page.url]) {
self.emit('message', 'Cached version of ' + got_page.url + ' has wrong security hash. This is possibly malicious content! Ignoring the version obtained.');
return;
}
window.onpopstate = function(to) {
document.documentElement.innerHTML = to.state.page
document.title = cached_mark+" "+to.state.title
window.scrollTo(0, 0);
self.emit('onpopstate', to)
self.emit('message', 'Cached version of ' + got_page.url + ' has a verified security hash! Proceeding by changing links in page.');
cached_link_lists[got_page.url] = got_page
self.update_links()
var this_page_links = document.getElementsByTagName('a')
for(var i = 0; i < this_page_links.length ; i++){
if(Object.keys(cached_link_lists).indexOf(this_page_links[i].href) > -1){
this_page_links[i].onclick = function(event){
event.preventDefault();
document.documentElement.innerHTML = cached_link_lists[event.target.href].page
document.title = cached_mark+' '+cached_link_lists[event.target.href].title
window.history.pushState({page: cached_link_lists[event.target.href].page, title: cached_link_lists[event.target.href].title},"", event.target.href);
setTimeout(function(){
window.scrollTo(0, 0);
}, 10)
window.onpopstate = function(to) {
document.documentElement.innerHTML = to.state.page
document.title = cached_mark+" "+to.state.title
window.scrollTo(0, 0);
self.emit('onpopstate', to)
var this_page_links = document.getElementsByTagName('a')
for(var i = 0; i < this_page_links.length ; i++){
if(Object.keys(cached_link_lists).indexOf(this_page_links[i].href) > -1){
this_page_links[i].onclick = function(event){
event.preventDefault();
document.documentElement.innerHTML = cached_link_lists[event.target.href].page
document.title = cached_mark+' '+cached_link_lists[event.target.href].title
window.history.pushState({page: cached_link_lists[event.target.href].page, title: cached_link_lists[event.target.href].title},"", event.target.href);
setTimeout(function(){
window.scrollTo(0, 0);
}, 10)
}
} else {
self.fetch(this_page_links[i])
}
} else {
self.fetch(this_page_links[i])
}
}
}
});
})
})
}