Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29294 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98713 invoked by uid 1010); 7 May 2007 21:30:32 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 98698 invoked from network); 7 May 2007 21:30:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 May 2007 21:30:32 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:4940] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 58/27-40634-37A9F364 for ; Mon, 07 May 2007 17:30:29 -0400 Received: (qmail 60217 invoked by uid 98); 7 May 2007 21:30:28 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-2.01 (clamdscan: 0.88.7/3216. Clear:RC:1(127.0.0.1):. Processed in 0.084014 secs); 07 May 2007 21:30:28 -0000 Received: from localhost (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 7 May 2007 21:30:28 -0000 Received: from 209.254.223.2 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Mon, 7 May 2007 16:30:28 -0500 (CDT) Message-ID: <3668.209.254.223.2.1178573428.squirrel@www.l-i-e.com> In-Reply-To: <20070507110833.GA27937@aidi.santinoli.com> References: <20070507110833.GA27937@aidi.santinoli.com> Date: Mon, 7 May 2007 16:30:28 -0500 (CDT) To: "David Santinoli" Cc: internals@lists.php.net Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] [PATCH] Passthrough MD5/SHA1 calculation of uploaded files From: ceo@l-i-e.com ("Richard Lynch") What purpose does this serve, exactly?... Seems like anybody who can intercept the upload and send bad file data can also send a matching MD5 for the bad data... Actually, re-reading the message clarified for me that you're doing this only to save the time of whatever it would take to do an MD5 for the file after its uploaded. Can you PLEASE make 100% certain that this is specifically documented to NOT be a "Security Feature" and it is NOT intended to indicate secure transmission of the file? Cuz I'm betting dollars to donuts that the masses of PHP scripters are going to immediately mis-use this for that exact purpose... On Mon, May 7, 2007 6:08 am, David Santinoli wrote: > > Hi, > I'm submitting a patch to perform "on the fly" MD5/SHA1 digest > calculation of a file uploaded via the HTTP POST method. Being > not uncommon for applications to require some digest of a freshly > uploaded file, doing the math directly in the buffer where the file is > being read can save some time. > > A similar patch was submitted in August 2004 and raised some interest, > but never got merged. > > Digest calculation is triggered by setting the special input fields > COMPUTE_MD5 and/or COMPUTE_SHA1 to a non-zero value: > > > > (note that these assignments must precede the > field, as in the MAX_FILE_SIZE case.) > > The result is found in the special variables > $_FILES[userfile]["md5"] and $_FILES[userfile]["sha1"]. > These variables are only defined upon request of the corresponding > digest. > > The patch was produced against the php6 CVS version of rfc1867.c > (1.190). > > Cheers, > David > -- > David Santinoli > Tieffe Sistemi S.r.l. viale Piceno 21, Milano > www.tieffesistemi.com tel. +39 02 45490882 > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?