From 4890017c91ececf9c26264580be96c6dd7911071 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Wed, 15 May 2024 10:28:18 +0200 Subject: [PATCH] fix: Correctly check result of function Signed-off-by: Joas Schilling --- index.php | 4 ++-- lib/Updater.php | 4 ++-- updater.phar | Bin 757575 -> 757575 bytes 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/index.php b/index.php index 31142c90..24aad88c 100644 --- a/index.php +++ b/index.php @@ -688,12 +688,12 @@ public function verifyIntegrity() { -----END CERTIFICATE----- EOF; - $validSignature = (bool)openssl_verify( + $validSignature = openssl_verify( file_get_contents($this->getDownloadedFilePath()), base64_decode($response['signature']), $certificate, OPENSSL_ALGO_SHA512 - ); + ) === 1; if ($validSignature === false) { throw new \Exception('Signature of update is not valid'); diff --git a/lib/Updater.php b/lib/Updater.php index 8e5825a8..06f65e8b 100644 --- a/lib/Updater.php +++ b/lib/Updater.php @@ -652,12 +652,12 @@ public function verifyIntegrity() { -----END CERTIFICATE----- EOF; - $validSignature = (bool)openssl_verify( + $validSignature = openssl_verify( file_get_contents($this->getDownloadedFilePath()), base64_decode($response['signature']), $certificate, OPENSSL_ALGO_SHA512 - ); + ) === 1; if ($validSignature === false) { throw new \Exception('Signature of update is not valid'); diff --git a/updater.phar b/updater.phar index 384322376be7de0fd01b55688a3c127e8dfcf9c0..e406bfe031cace82582e83c2a23bd2ee5477896b 100755 GIT binary patch delta 5372 zcma)9cT`kYx4&iDy$sBqp~DC>QidW32+|R;VF3}N?c)MwYIF&f1d>lb4=(W6lT zO`!Nao}^5p|Rp~TVzkg)QVbj9Hq9njo+beVhg5Pmc?{Ghz3a8IfIDOv_YQKw+QZ9MqmAFCr{rvE(vuLtf-Ec zP<_3ZQlm0CO8c~E@d9n&TQM93aEAVVJsM>T9T=kwG%^sQxJ(d-Bq5 z^g~cjrk(5q-X>4#jD`obLPLVhjQLAnjyv~1Kb8P9k1@Hlfb86vmim;5d)ogYKh@rd=50QwV%q@1l$7XIm#V zrBM5O>W@-;Z}mr`y*tyr2d&8Id?^i*Ol6FhT8?`vMjwWHIMBYP3S&NV<+uUaduxyq z7=+$D2vpiDYQ~giyI4|?*@Fu7Xxc+J-;odyeJCBbumzTaxlYxh zwEwX0ZbFhOM7*q)S}}p(*z7M+FQ=f1i#Lm=2%_=P+;|4{QY|VZb-+79a}2YJUZN>h zDsV$5Wt}m4^nZZgb< zs({j>F(Iia)i+{^pO0Eet6#2KNeH)YUPl3hS&Xq*;<)3M7q21A2vp&xhUgCU4xPWz z73%GeVth;>(4v#;49d4qcluD8RoxJRuIPi%p=9UmpbfyAl^=M2DWG2$-8MpnHwbKhcwlk(g{{e^*LK>_Jn^L1?w&i;B%= zmPReFa=U&P>r#7X* zXWBOfsE!PKCOFKySoj#`p$%gM1aVw=V$UEHZTCl2dUrHTAHW1B+&FGbtA^iMXtg>u zw7W4Jx4e8)8DlDXm01Yu;2Zd@hAq&v^PcF0-oPMsL1{;19vBJtfICWcRnW?6qcX?2 zJd_rCotg^`Nn_e6{xGT^UtWqvxo4~0-s9ehNsfc+#%tbNVW%?~gXX;a7gEPO-aG57 zlsUJb(o36;EP>O^ALV%lGHt&u9OqZsv=x{~BDb?9rJHl)DLqhIJezg5@tK!W=p0E( zy)Kkxv#n`-rbn43Uk3FY#;Zs4{99~Ts9+T_D}$YIlzw!(g$>18x-#vv(C*AlbI-$| zHX+TS+`m&Pa_TJqwngPEwSQ)bpj>8_i8r<2jQfcvI%uE3F z{_iI%*dSL}b*TKFNtx*!e@e5L`?O;Hsj#}BWt%KY3iO;lly0**cG4AHVujoZt2mCe42AyPG8qO;SZrbD#qJ|gJQx|$^g?9`=x ztpW6|gw2WxP>-({fc4wPRY%!S)3BFsu_{BL4D_M&k@t$*P>vu3<{tEv9pM}lN_|)S zTnSxDS26Dg#-P$=29z17o`Uy*T|H`r1+s3-;_D1GT76;FVmLg5mSBHW5vXDO3&4MG z#-%!R(()c-42L1lD(Di+Ryo%wqphxbROG5Qdp}%!cgEX>uqmLzVmB`~AR9r@J*UgU zw|h=+qF_{V*+bb168cc;T^-RMO?U0g9BHBU%?Exq91hbUM6qlQUdjfiHl_Cjgsg91Xjs%0M&@;-yHfyLLx zB@ZCncNWDC^-J+6T+&yv*0p5E3AjdgU->Hw;2fY2rQ2_}I0038XIK@g-ogvvtZ$gw z<`kM6t#0jxIUKidy8TlWtW&}p{$Jo+svodu?c_TC-!(u}Ol zLl`3gPU;8YBo_S<9l;oGu%hc8W=iP&=wQaEf?WQJEU!gt!d1pmV23BQ?ul@iTAvTW z?e36>Z1k5Sj+q<+w*~!wXobc&O%6lobHWQU(4a8YZ4G=;g!G(u6&b<<)zU?Vr?B2V zhtAxwC$)GxIX>u>!&{wp2!uW(fYwgST7Zs+#WIr*!Nd`>?(|!eFjNs?M^hr)ROE#b zaVRxHy=FN${SHnXQiLWpQ_soqpd%&v#iNfSb5->dk?I*Y4^ThbH=)~G)MP;QL8~IY za8;#jGKH$aIDlUIx%eu&5TSnF9!`c2`GQGC^rD#^v|Ui&X6lLX3H1G&^OajckfM4@ zj#77VDL{?;#eN={BO-i8kNqH??siLXPaj5wm^0{9cs$GYa0bVHpU`>Y+qkSWF7GZK z+qBE=-j068)92mi{Jbc&N85opw(_eAG{+IDdf(kKCTj#dberIZe>@?*A{8FIn6YDM>C!B;>aet9?f5F)jyJVmi`ajQoPrzk`Q#nf zj{7G>CJ$`cum6CAgxI*)_>%q!@v$*Uaj}EqO8O-YXc<2+A+CQ(LP=7Kgd|5Z86Pn5 zAvj#a+woYQzY+HTHO2Qu-Vf)Q`9yL~;CCuGjmRBn2)X#UT~1Vk@%S!K!2P!gO$mhG zOS{98Iwgf%TrX#8NK|+JseszY*X(E+6QMyq3FRcSC%;#N^R^2XJbJ#~NL>5!^EBjT zA@8Okqbl{6Mw9+u8r(m^U+ghh$eJ|6!9lb%e~==pl-Cr)-*D`T^r2*$-C**^{@3_t z1aKx8NPW5fQy#-#fAV^{{*(>_rVn|uME{%iojV&@uttBu6&Ftj_c1lR4#xxwDe%Q4 z;f)7$wq?V$I$T=9J8&zj)`Dlx5}M=6HF^oJnjoa(E$M=u954%!COopQFq2dV3*dI= z7~u=;J1je{>aPvPqeo~1a7@0?j6_8Vb#A06U$D61UvmXLmL3RcB+4$Ni_GojU_mA? zQiWVE+^|ezV@CMy0nt=lECiZy@ie`bd@@ykOD4tBw2v(~{fQ<3pRDF(5<6TwL?S(r zwugXiO>_nvT`CyJF;DFZEw1e*=HtoxMF^sX55si>q!2u^M$nP4r<##Xuu{S|ClKfa ziH0kaW@|Ma+o;eGv@d~3y1G!1Lh|QQZTmDb{&&q-fnw?LqKRTIE}kcNk=>`Y7p+h- zhnlI!bxpX5{2Zjwk0ocuYrmHnHomk+7yZsMoto=${g;{n1WN4Rp4|ON)EPN`sunuM!}V8qk53uaROLWtC{cLMKeTE@k|wUSfyg3wg0!lrsCs8S<*?v3+K z3t6-kZg^^eq~M5yIv<=@!v|oKT?oKQX9N?fDwj#02STt!YdY&~|JUNnewqxj_y(Wm zMFo*G0UNpVJHJoBmlaJ0&O9I{kSX8t-J0U6Lwuo{>Kj>XO1mJDee3z#d%|dq`x8XtNpsDrHi2C5LdiRY{4RO$0yQ77I(nA3MzQ>dftG$P85tJG+$if zhwJBv22zzMHu%zR>hZ~aqMf>__S4i$f3w~pgyJGuBaybUW+2q?5TrzFj4Sr&(*B;7 zxB2Ty<9@MOXZpI#PcsU?nJtFn%o}_+vfQjmG2lt-1P8f1S19yUp+Ka=qsoL>BCZ$4 z$V|?Lj2h_(NL-vT1$v1(vQ-wp*DlkG&HpYN2^Pf322%Nr?o}l@@rFO4ka3FGT1x@6 zxQ|2Ej=+q!mdRIsy2*mNUyy*A7>4Qgc#?p7+Sw8KSF7&-t{bkOrgI~M@^veHFiaMl zKB+oaa?_z3=T2wzKPwEHmy>YuQV6|IuI?w1=@ZbuVPOl2Z;#clVmp8(k z`9M0OA?>?M4I_-fT2{ zx5biXW|vt>_|87LlY4ShY}8=qHDN0m^1--?4tyoYC5}wlFZUC1Vvfrt^(PszSDwz} zJ2@^L@ybJT6VkuHvisxgt3i=-M?(yBrVHRIR0lAg3)AQg%j7_Q`}GAW+NwRYKvhL-*d_qNM6{Hswm zU~*IAicU@oB?;~_c0+5&r<46gnP{mW2R5yev&gxxWUYo=oFOOpV#7??gFGsd-9xD? z1;3alOQbkRo}NtLy|;n6AaKpr$^`DWNFEQ_Civ59ZEc2nqhYwwn&78Io=-0*GdWr+ k4VJ8}0y4B+e%ZAoE+_l1_^u)6f^U6>=>Kv$WaVW2F9eAd0ssI2 delta 5345 zcma)8cR*BE)_*f^-psr=1M?XA3}xs|dX*^61W^%C17xj$g3(BeEtUwH6-%O`H+o~k zvKvrbMT2@RiJ~!46Ezr3EP+onvF&HqH8C;nckX>?O#b@#gY)K;->LW9d$b|qXhTH( zI%8BxS!r}qS!{G%?C7OiV*mX6--G}38)d2Tjq}ETQhJf&xWQ+y?MCU|jz}l;U`$!V zapSMvh(H?xDAS5^XSv9GK$BWfIx;r)H?%{hLNmJgxtH9~Eu=K1{@NVGYa$ucuc;gt zljboQEmlV}#$GMQmA_tFgxXaxjA2r9TtfcA4^gf#LyQfv&4v7;`NT zz#BJZ15N<)h|tR$z>J1N>7ttH$tXn=#55xyc-wb+9@(os&^lg35xlISnka*hXBuIS z95#-c4`Ca;0dq#-MA zq1n!UsJ_mCp1CR+-;Lt9kJfEzcp=DfQv^dHe0T59HE4%uU1roXqZ7w1sLfTw5Kr23 zTy<*aRaE7c#u&Q{Q1Y~c73dq2A8MQLA$$2LQBfL_Sm1|FGvB`Qd)-B)H1Fcj$1ngd zTx@f(FtjFDj`Kg0=?fF%hwg1~lTXPC8m0NWIvvqdI}mKNM>7r1%pwy6Sq5`51Ox)3 zCu8=5isG#;nkD+@vM1?nj3#l&M2SMkgkaO&nM9Roy=nryJe$;ZOwD z)Zun{Od}5PRPVY!fPSPi#&A21bJN^>g8s)r!K(dO>lsn?X4O6i#gtOx;D@80cRd~* zvhzVEqm`LQ!km`8^~Jx@Fwu(Ie9frc-&5(_eSg3M#66EdVha#+sqoK|m=W?MT zi`6i~szWEON`J z(m**2N=~Dvv{AqPJ`=PZ)uFW6I`r0;Zu&%UPZiKA59RQzhow^H4T`qAOE}(-ST;zMKJ+ROGaUKH2Ty{SwHh&vWB{xp8sO@n|$<^ z?#R#*_x{Z4Yfx&w?z)XlZ+(-9yfzu-WUCS$r5Q82ma{^)IBJo+*(?Ve6(OZ9@wWTS zvc*xE`)6=M(TDjZtB*V=0VLo2*;y91je);GHR1iRY-rY({Gj?|duz98d zlshWP1o!2*!zrZvg%$WgIkJI4HbSP;4muU1JN6lju@o3zn}2)uB6XXiD-&FXLAT5Q z^)bq^&roXdp?waM+=DnzE$F9asn@TuL$)DLYXg#&J!b6h31szun7#7G5^X$=%K<-C+yb z3C?=4(B6Zfvp#Z51t&`15DaD0o@Iro+LpjH%7Nj&@_Y;1@9kb%^yZHq@;Ep%v;&m> z$93gxzzadCUIMyzMUqdtDMCum&JLeV>q_sKs4geD8TJP?q_ly*F^4T_8l`;MsGkYj zmL1Jg-b$^1gIs=UUUM9Rff9Hs?Rwh6ai898tzroly>EwR`6&B+05o{*g*8jjQ(Gnr z{XQ(z-IXiNsKH0Uy8s%m&*?bDMgUCRUz<`|F^P`Uf$kxpbdg(i65Kxu1`lI9ygJ|& zI7G<|bOBs1P9w_hLsqXa##1o)g^xG_OTNF-pUvXy%7;oCp?s7`LzwP8sQX!nK7S0EkO`}Gruk4xEtoY|G-{VwAbj&C|lQkP{-=tV5UEe;<)dAJTV4_ z=sBi{M(8Cb%=6{A_30Hl*kf5rCbt7}m5;PQ#oh)Z&}dxt01lxQ$$@566QG>y>mb-Q z#r0SE#9)FRLEegKZje%qC2%e}Yx%I*s-CF*}VOYzGaQi(6G+~>_ zHo$Rc0-Y2}FK09*pst8O1zUQ0!GbHOZ-}BX1>S4>0z$J8302;mQvft5s_9!~3GGg$cc?NIzk=kB zPf{$}8{*HvjzDhnLJCumYluI)%Z|g&4oONccz&1pqx3L0lBp6J5kXM+!l4?{~47_5E%v}Qb=hRVW(CHq^%jHNz6 z`Z2JeKv?YOi>^EeOJV*~d$^$A!n#MorN>YPwgA8ue>Qax@(Ne7`#Y3*@41$3XnI%* z1Dg!R6ca6R&%rzx*ienKGhe)(y~2Ii>v?f__v?9M_^Zsra)@@)4?gG6zao@Ue*%n& zE&p7PHmj7U6U;7md~a|TN(@$RGaVeWyOmEJ(1jpxhA|#AW-l8sA6*YtO1>Q$`Y3E& z8`{>bv3VZHE%Z9$_&KAo%tYyM5BR` zH%aFpRj3B14pKGXfI%t?))lDMkI=W_->xchEm_ww;ta) zK#QZAC9!o=ltzt*>Qn}NXO;9fRNrcAO?}%Vqt$7DBTq_os>Nz@yPqme)4KP-lK9|~ z*pleP(Pc@oiDOE8CM8BEm6pYnjE;#(Oe`xI9X+NbCax?lCMl_`wdzrf>i?~cpQ%-Y zTCIG(#_RDXJ&V)v26Gc#i59HQEwm#ZjYGCvev@wT4V7RNdn7!JTSn z;#H)2!jpH0sXox)`e5E4udCC}#kO<2`-*eC4c9mFT70iU2*USd?R(@%AMN-)IDCpO z6t~|JTyXFC+C;J>PMd9y+h*t_Tz^)u;K~Nxi>lAS6+a6p#CyIrPQq!Ag*pPvBfhw; zK=38;_S*gGKf});pg-M(l!WL{%D5<#&&D}50QE-^ylC=cfv#Gj zZ4pVYtwO4R^KJn6%WL4xgM1o>=3crM~25m2RdUx5-*PmDrJQ#_J9WBr;i_E|5{);#>A)$TBT* zB(_7^i|#n`sCJ;zYl=Yf8ns_oaBYoFAh(KzenvJ!xOTZFL}{RBrO<=+;8mP^o_E0B zExev|6$mB+ajg)}CMf|u`$_Agq|Tx$n4#D z=7)49>ioo)(Ae|PDh08dn2( z=X<_iA9B4|Gf}N1#HQ`RY)yy>=Y7uy|0OyMAw^Jo8-}shlgJi+rKb`s91UM(V4iK_ zR|-s%*i6FlOx(r8`GST-{-H_yPVxgpdKe`VwU!?zQg2=?1Y*+&$0Rx%MpC$t-(e;z z8~J?oAFaU93OBMLK$F=Ew@uRo;I3KF%!)CZXir>~s_*|-&EgV$T_`^AK(8a}{`$#k zHdf?ts=lX$FBR*@6R$=+a>Vf8n{0oq?=VvoJpqF=JoOborYzELa-*ftp<|0oc=}O@ z`e3$xqcc4KM)KWWeOD4Gou>P}1-IAm0!eccp9ti4lbER?i`~W30%PM`leh*Ko#$O} zL9Nc2ydjA{Ye--Xe@nvlV^kuke5kI_v$cicQy`TZ{)#|1nw9+hclBv4{q)=YR6R~b zSDBd^QB7C;)i9MWUbjLcl5G;d&5i)v)hc}Ng7z9Qol}pr674|snKJV5tjh777rTIFN9^Q@u~c-h;Jh=!Q{2@@G*hiWGBQ(SjxrVVKzLu|Yz@`tSNYYgzeWf93E2LtcluVWO*x|AgX$o!_D;dewl~TM4 z+fGPsxHex3A%SxxivwvMEA25U3Y+t#`9|FJv0$Z_)W#IFJj#*uY?dAgIJ_AE;2IiW zB3IK4p(?!jq!fhrhZ~ad>JySkk{?O4dy;lw24eW{L^^j$58VhTjL_ruhf* zC>Ivmd*Br^GQm(MVYop&amZZ5LJWO%MFXR9@a8NjfOHI^89cO?W~=a9Dvy3E?r}W6O%;dL||$5D%TSipRb4rBG_?Ptt3|Q90V+lFG^nA$a{saWzRl zCC*JE_rU!{qgo1(UV-1rQ?Yn>C<)