From: Patrick Canterino Date: Fri, 5 Jun 2026 14:02:08 +0000 (+0200) Subject: Merge branch 'fix_legacy_upload' into 'next-release' X-Git-Tag: 4.7.2~9 X-Git-Url: https://git.p6c8.net/jirafeau/jirafeau.git/commitdiff_plain/39ff6f56cbd8157556111441c987f2dd3258090a?hp=f93cfddfd0fe0f6e78a8a27e05889d35db8a0dd4 Merge branch 'fix_legacy_upload' into 'next-release' Fixed file encryption on classic upload See merge request jirafeau/Jirafeau!34 --- diff --git a/f.php b/f.php index 269b10b..870b4bd 100644 --- a/f.php +++ b/f.php @@ -171,7 +171,9 @@ if (!empty($link['key'])) { require(JIRAFEAU_ROOT.'lib/template/footer.php'); exit; } else { - if (hash_equals($link['key'], md5($_POST['key']))) { + if (strpos($link['key'], '[SHA256]') == 0 && hash_equals(substr($link['key'], 8), hash('sha256', $_POST['key']))) { + $password_challenged = true; + } elseif (hash_equals($link['key'], md5($_POST['key']))) { $password_challenged = true; } else { sleep(2); diff --git a/lib/functions.php b/lib/functions.php index e5a05b0..948a436 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -544,7 +544,7 @@ function jirafeau_add_file($file, $one_time_download, $key, $time, $ip, $crypt, /* hash password or empty. */ $password = ''; if (!empty($key)) { - $password = md5($key); + $password = '[SHA256]' . hash('sha256', $key); } /* create link file */ @@ -1088,10 +1088,10 @@ function jirafeau_async_init($filename, $type, $one_time, $key, $time, $ip) $w_path = $p . $ref . '_data'; touch($w_path); - /* md5 password or empty */ + /* sha256 password or empty */ $password = ''; if (!empty($key)) { - $password = md5($key); + $password = '[SHA256]' . hash('sha256', $key); } /* Store information. */ @@ -1642,7 +1642,7 @@ function jirafeau_escape($string) function jirafeau_admin_session_start() { $_SESSION['admin_auth'] = true; - $_SESSION['admin_csrf'] = md5(uniqid(mt_rand(), true)); + $_SESSION['admin_csrf'] = hash('sha256', uniqid(mt_rand(), true)); } function jirafeau_session_end() diff --git a/script.php b/script.php index ae57449..301ebe8 100644 --- a/script.php +++ b/script.php @@ -183,7 +183,7 @@ if (isset($_FILES['file']) && is_writable(VAR_FILES) echo 'Error 9'; exit; } - if (strlen($link['key']) > 0 && md5($key) != $link['key']) { + if (strlen($link['key']) > 0 && hash('sha256', $key) != $link['key']) { sleep(2); echo 'Error 10'; exit;