mirrors/calibre-web
1
0
Fork 0
mirror of https://github.com/janeczku/calibre-web synced 2026-06-02 18:52:11 +00:00
Code Issues Releases Wiki Activity

Fix a dumb type condition in gdrive.py

Browse Source 
hashlib.md5(dbpath) returns a hash object, not a hex string. Comparing a string
(md5Checksum) to a hash object with != always returns True. This means the
DB-replacement code path is always entered, allowing an attacker who sends a
forged notification (with the known static token) to trigger an arbitrary
metadata.db download from GDrive, replacing the live database.
This commit is contained in:
jvoisin
2026-04-14 22:51:36 +02:00
parent 088778969d
commit 8ad9f4e3b7
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cps/gdrive.py
+1 -1
View File
@@ -140,7 +140,7 @@ try:
if response:
dbpath = os.path.join(config.config_calibre_dir, "metadata.db").encode()
if not response['deleted'] and response['file']['title'] == 'metadata.db' \
and response['file']['md5Checksum'] != hashlib.md5(dbpath): # nosec
and response['file']['md5Checksum'] != hashlib.md5(dbpath).hexdigest(): # nosec
tmp_dir = get_temp_dir()
log.info('Database file updated')