Loading...

XML

Word

Printable

Type: Improvement
Resolution: Won't Fix
Priority: Minor
Fix Version/s: None
Affects Version/s: 3.9
Component/s: Files API
Labels:
- CatalystIT
- partner

Affected Branches:
MOODLE_39_STABLE

If we are dealing with a normal file serving and not a range request, and it's sent as-is (eg binary and not using deflate / br etc) then we can sign the file with the sha1 hash which is already known ahead of time:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest

Note: the point of this is not to just send a digest which we could do with nginx or apache and sign what was actually sent, the point is to mitigate a risk of the file storage layer has been corrupted or compromised so that what was sent is what we expected should have been sent.

It would be nice to also Subresource_Integrity but it doesn't support sha1 (see MDL-58083 / MDL-58066) and that would also be blocked by ~~MDL-66006~~

has a non-specific relationship to

MDL-66006 Can access file methods aka refactor into a proper 'File Serving API'

Closed

MDL-58083 Refactor file hashing sha1 method out and make configurable and use hardened sha1

Reopened

Assignee:: Unassigned

Reporter:: Brendan Heywood

Participants:: Brendan Heywood

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 10/Nov/19 5:45 PM

Updated:: 11/Nov/19 10:06 AM

Resolved:: 11/Nov/19 10:06 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates

Clockify