AZEN-SGG/Kavita
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix security issue. SHA1 has collisions, switching to SHA256

Browse source
This commit is contained in:
Joseph Milazzo 2021-03-14 10:23:10 -05:00
parent 98c23af680
commit 126fb57f4d
2 changed files with 75 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

12
API/Extensions/HttpExtensions.cs
View file

@ -21,23 +21,15 @@ namespace API.Extensions
}
/// <summary>
/// Calculates SHA1 hash for a byte[] and sets as ETag. Ensures Cache-Control: private header is added.
/// Calculates SHA256 hash for a byte[] and sets as ETag. Ensures Cache-Control: private header is added.
/// </summary>
/// <param name="response"></param>
/// <param name="content">If byte[] is null or empty, will only add cache-control</param>
public static void AddCacheHeader(this HttpResponse response, byte[] content)
{
// Calculates SHA1 Hash for byte[]
if (content == null || content.Length <= 0) return;
using var sha1 = new System.Security.Cryptography.SHA1CryptoServiceProvider();
using var sha1 = new System.Security.Cryptography.SHA256CryptoServiceProvider();
response.Headers.Add("ETag", string.Concat(sha1.ComputeHash(content).Select(x => x.ToString("X2"))));
// Not Needed with Response Caching
// if (!response.Headers.Keys.Contains("Cache-Control"))
// {
// response.Headers.Add("Cache-Control", "private");
// }
}
}