From c76fcafc90e60a29fa66ff0adc83eea4644514ca Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Wed, 15 May 2024 10:28:18 +0200 Subject: [PATCH] fix: Correctly check result of function Signed-off-by: Joas Schilling --- index.php | 4 ++-- lib/Updater.php | 4 ++-- updater.phar | Bin 1172792 -> 1172794 bytes 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/index.php b/index.php index 69c1d161..62d7606c 100644 --- a/index.php +++ b/index.php @@ -708,12 +708,12 @@ public function verifyIntegrity(): void { -----END CERTIFICATE----- EOF; - $validSignature = (bool)openssl_verify( + $validSignature = openssl_verify( file_get_contents($this->getDownloadedFilePath()), base64_decode($response['signature']), $certificate, OPENSSL_ALGO_SHA512 - ); + ) === 1; if ($validSignature === false) { throw new \Exception('Signature of update is not valid'); diff --git a/lib/Updater.php b/lib/Updater.php index 37d112d1..f1725aa1 100644 --- a/lib/Updater.php +++ b/lib/Updater.php @@ -670,12 +670,12 @@ public function verifyIntegrity(): void { -----END CERTIFICATE----- EOF; - $validSignature = (bool)openssl_verify( + $validSignature = openssl_verify( file_get_contents($this->getDownloadedFilePath()), base64_decode($response['signature']), $certificate, OPENSSL_ALGO_SHA512 - ); + ) === 1; if ($validSignature === false) { throw new \Exception('Signature of update is not valid'); diff --git a/updater.phar b/updater.phar index 3e760b1bd4669b4725feebfedcb7caa81fbb8e27..703f197fec3a726d28ba750d589e069fdee5a257 100755 GIT binary patch delta 7389 zcma($cYGAp)-&5?c6WAXHk-aFyQGmq*pyAOkVYUBAtZ=Wq$i<>l&BOTAQ7J+MF?Ew zA~g@BDj`U@bOVA9>Gg?pP^t{#A*C>m2;OeEP-~RILp|&9#9Hxm?R}{SG}3 zLb9%Tipp1dUTYI#_BvwL1qZY-QsGuAXl0lN&0ApoBsE{-9Rfx~%5)S_&C6hmmi(GXP=j4%pP9*vI4qM_l!rm8424N=58j7d z<^m>jSi^BdsOgJbNlXSkyKF+T7|e)gAd@4L)+V4%awE~HwDtu`VV5OkWvD);k!V8w z#2_a53E1gAdA@{pH&Kbz)j>)hpCpBQC!McGmdr5JAR170HP|%yqe_#+q?1#iK9fsE z{||$c5hu6cI5B+R%@@Snizd9t#)pYjyc#4rFC-wqqG6Z(#fnB`iqM(KcL7B7oU3Ob zsc|?mmzTs+pI^wSbZ0Duz>?K<-p^=>+>#+407unHWdaMQBHa%K-;$Ko6IF8*R)!{b zLL1V%sYNw=dIV6~`F2{U9D7^=>a&i##yI;ve zG}4pL5Cft(ZhO+dZnJ_?vx_{&@Z^di72U#B(-dyKJ3PD5KmtlpBG8pv27D=(H!9Oa zm5oCGK7)RRlsV=q5^6||Vftr+U!(f;K8JP$F#MGiJ6fDVdmUEchLl&-8)Ir8^=4>l zS0>f~JyX>2LN=r)4pq-pl&5;t4uy}j$oW~nhm!h zSJ9|WQqZF(5g{M@(nH~_WB-b2jHU;q%ZW>Jcr)5&O=t2W^*mShL((p^-crgCKeXYv zxbIq@MtPQUhNzs+abFG{xE+OCdox5E5668}^~{Xq3pj(2K&K zlMeWynNlH>IRl8Oiq9ojCRE0XtBQFMEz;Wtna@+X#p$b%9U3d9_9Qs`sFI%xS{(*RQQ=(7_W{ zbj7Y?Q3*zl`^9g|afk|H_LtGFQ$b3$&lrUp-neFlPRwQ80e&1eP45YY`KPKX2{53q zPFj@SX4MvjD}Ecb1Ko>K8S0MtDX;og8ifUg(U)M_QKA)nb=-if<9MBzWmm<~ME??I z$O){0f&G4mdD>{m$_TkOj(hxW)*fG|B2wIX^o2Wu5p`hw?&R-2M4u+Q8R8b`O~~Hh zVik2amFFe|t4$r2ppJ!?pjF%5Z(7Y5DiRfZIfS<>J0U6bqOeEbiI7yvV2kkX4n?ek4n{^}&Ua6nWFeNj;O;MV~wSV6!?tPkgH;`qj56eX$y=?;W) zt~SpL#mHiY3;bb$7tZ+yv_UI1pEa@Sj`{R$*l7Yf4hKpC+8D34XAel@=nuyBgy2+# zS78w}%RGG*`n)kWvU0Dz>NSOx=U;i7m83q{h!UgJ>UIR%-lH>D(qM7(WZr<5HnFq5 z`xAaYn?q2ZBbpL|l@i~2r0_vS;(joc!#r>5<+%Hflw-&i7==peO=#E7Fl7ac0U8(J zkGnqq{sr+^gp*D5Oqg(apLBb_aYPlM4faqbek?+sH%hdksxXo1?+q$k%|_T^(m9Y4 z;fId|^D)XgU%n}vIR2A+u6feQ8ED z8-kQ(K7T26PcMpQJxqzmH`1n?hk#CYL|X-7Nk3N|%| z?Rx<9Aia>+m53rD)vYZB2G*EE$+e&>7GE;J^llOA$4W?3U;6p^8I1wALK`B(DNCGq z);FHeAHjXqZtfjYq~5FxQTM*i(6FZ-pK8k1S?4nWN>5)NDGYG@?u7)mS4BQ@y~M&g z0jp@?3OHpp*kOXjh-l>VdVJ3wkH#Y-d(1Dsgvph?vv3 z7;i?kXL`3lh?5tc*wd&NAJOu1h{S^AI0{Gfd(@^e%mfJ2g(gKQOxC{yjv5~>8_XI! zKPEx-ctlJZ`ZL?z3S^Z{HH7@V3iu6q?~sNB<`9>cpzEU&2sQ zXG#lb;>`E~kI?QQnn?lGuXHKbpw;O`;nWY@V|^h}qJXL*!_?4fBGsc^5tMlOmU0i; zo}9tliLd3jjah+P=;Xt*Vqs()_3f4vzPkCMo$Wk#Yi-KAP;q{&J zPS6{VRvnR*QK2e3N984mj&y(nCFYWGA|DCc1b7e(=AaWrga^g_du z3s_+$xgkAe0~i0jF!=`!Xk;_>VEsCz=3&sMzd&lD5Lm%in(#VBT{Ij=q2u@K7g*U9 zw-w#nEQ+IixknS+ZghE*h@Z-^VKreXhgTPXQ{Mbw5v#P~wxE$)WTo1-#waXxd>6oG z0uZs)3hycLK7|ziwxH^kx-4L%DDFs>z;i&D+~7(Bovj(-9<P+8;CL*cby54J+57prjtqM*}`_TY07L)1fZA0|A}z}fvJwZ)CFkyT}epoYv4 z#<3mH>xTE(3z0a0;D>(7P+#G1Lh3h<3Hk%Z3nhf0dmevPg^*FK-n^EfzLL<>*Gg&b zeeeTLH(BZ-{9EY%s|BkvVBU99+52Rw({Z-UaTh1GK7n4!Q_B@y4X+AEhg?PXavjQ0 zwIw+UhlrD&pwW5iysH2$ZIg1mXl1UtIrC8E>vKA!pi6n`I9~v}^<~FTJ<;mC1QwhX zM!~8F`9>6)7tIiL;OTFPOY70}7AoRfK*wjb>V~Skbe6$(0Ds$K656ASS*Z-M7tD4q zJ&=c9^NH*O_ov2p&qc*v)$CSSMKRr`T|>WmBh^U#TeM)Ze?UF%y0X$hdjN8K)tNaQ ze5kJ~_y}$Cs^2EY09TxQ)k&1yGE0?zr)4Vp77{|oAiDtW8TWec#*Rrw!?R;hb&fix zM}w3xGc+BQXLnW=Y{`C&IWP@W&)PM%3zD-tu)dFr<+uxH`(JBRlmd#P(A|~+jC~&@ z@I?3V5(>*v1Na9Naocz6YXRYck2^+W&Go(bHOW zwzp6lVP7uCedFmk4t7i<@05t4tE@fwyp8qMBYI(Zgkr=;dMG()(KP4AJyW_GHYWePQoB)p z^m6+|Z>l$~w5&A6<8hak4f1$XGfF*WWghRq@~nZGWuDTMl&nEz1HI{SNha(p=3{V& zV%~*M=JU6k{(nVrNozh7SGVUgNqPZ4Mx*hh;4j+nZ}O=)qL6n1$S>rhnu7H~DOu&- zEbqXwjMPD;>1E|*nS;u_sRPn7N(T%|OD|0;&r0ue@$na|I_K_isRji!cuT70cUY=R+|&o+)}cRrWIK2-8`Wd3~qkp_u{TQ@$+Ptc)r zg-dbWG{a%?3hwAM+DWH4?foL0f7|eYA`Rr?zcsjoL=DsI8cLLN zd?AE?M>7epKPLuYWthf9u3gtUBgs)gw=xJf4A$6iwV=x-8oh3o1`jLINMyO9Ig>{$ zLo^xMc|$Z7@=l57!yt0=sep+NQ!xC#Pxg$~KKC-i1Po8*asN9SBX-IfBN-xT zmT0hY(jt+MW*MgG@cO-c0GTu0@K{Uyu2@!0AO&}<_IHSNyfwXo_R|f#w2w6&k1I9! z;rvpo8E5vjHYXd(mdL9)^ft2 z+FAOwd2h1p^ITqsgvzx|RG?eQ!O{_crv=lfzea58IHk4!X+u zWKXO<)q`)Bh&S=ELYf}4rjq(##A^=m7P52^pBsw@9p;1a^FzFW zTsg!$Oawx`F8-I5OpMfh6QV{|lcO`>bzWUG`6^ErV<4$sU7~@qM$a2!G~g?P1sDDb z8A7mIZ+77ZWboiwIc7g{w4<<1#wFE4Q=;o9ykR6`)(NZhREB^|sUKNTE%=$S`y)Xh zvw8_*w8S}H7#xUu-IbiG!jgW19Xp2@Wsny*RaNR?L4IjNNx$u=Z zQ#!8In-fTqMjC3z4LWli?jI>gxTHbK!dC)JW<2YLQ6#@DGuO*_(lT?zylS(Vd_3EX zjAYZ7=2tbe%|v`@n;?=E9`i-RJg2b}K7PO$i~9?vra1hJAmUw7#zYbuYVPR3)yUAC z)O=vRZ6xP5na&k4oz!D51Q(1ea?BA}A*OuXzs?p&j;}VEq(+Sj?o%m=q{C*jDTQp( zn9DTyO18PpJf~p84O@&694a_nqJG(C+SB^M;(rM4?Z3PDV9_fi@{Oka%-{D zj6tFc8S|dV>*u{J7SP3S#T83s1uwZT1*-{Nx8IP2tLKYzB`$Fp z1?;>h8AyJl5bS6qxFESsayU#FtfA$t#5ErqL~`&yhHEk8-SdV5nSjGl?QwM}R2>+$ zy)Y9Q^%Sdi~C6@Z*-M>m!Qa3}4HDLD>!9+gPiZvQs=MQZ%;;b;0K(+fO)B1^| za7SHHd7cx2l`X!M*3pf&s7BX&uctnq@?-)e-9Ea=g7@(W5*n~8j zD`tuWmQ6w}>Cr+sqNqy<)|CZk{VZ)IN&gf-6-Y%}X@-fwUOhoWOVxd2g(A zSj)IDaOugfrP6!;Y&qkzpIH{s)@S`8;%@h)05a}#%Q_vU)ROXlT7q?~lH}xK%T3Le z`IduvGGT?qt*5@1;D*hnbk-TeU8ar(77u+?i=Vqkh{t)kW{KR`C#;ak{?(!@Xxxx~r>btK{+cWws7@oYfXi?tX4d_L5P{ zY+j?vfp=PL33%-dB?Q-9ad98TN!s>PPFe{ZvwqW4Wx?clgVIfh zbHA4(as5aol=M5MJPpQ5g<{5VYb34KDE3%hSa^C78^JRGND?9(|Cn!*DVQ$8B`BX?UDQ_9NTB lk@s4{LVlefI8oB0rvslpU9ni-?DWH_hv-XGyMm&E{{ty_Ty_8e delta 7260 zcma)AcVJY-*1vb_-Fj!!$);>b4Kb!O zhO0O!wWPEp&7Hh(L(1R3f9mcl~@)!qbJ8;4$K**`SJ_G-#PUM6~xq^_K7c>EnN%qEBDla@wW!5lp z_+wQBex@?u??nseT%{I-A>Tds$1$oDPM9=M5cYQ(=)|9kLAXxk$B8R|E9cX7UH_7I zDMxBy0n?aFhTe1IV|IvO2K@8KNh)tg*G}yUy7ekZ@GvoSoR-utm?D8G2p8p;r9B-K zG1#t7^JVffS_p!5OfLT4tlnhyUF3^o@Qbl9bR@6;8V^!ua0A~5y>k<7<8fzAI47vV z;@K(sSez7M$H>PY+s~VkD@r-e@L9;tPWW;h+jRIORJ>ZzBq^H=HIJ@p@S{k!8OOy9 zHwwbiuL`E%+8{fgrH$gmX3#Nq_`NIG9Bd~eV#NT|F9q6eWhB(;iP5j*ed+$4x!oU?b_#qBmOP zuSjCpcg7Mke$&{JY>E~gs2$kEbTI7kNl6Kws>|iNmW>pImQ(7Q@DpvSqAOLG&3Afd z3&H`fy>0NA)^<#EGN}j`jc8SOMG(W$l_nDoGvwht1~Wf0BU2Eh;6pcn*p(9!k|5kO ziYDN;5YcRd4X>YVL9cjhVR&%*g=%cnyE*stP(e5!TG_ypGvHJ>I;K*TF{JvHgK>9# z4ln;dz`^)&!*LH3iC3JH(LSgR<{rbzUgK8aFyAaLGEWD6a;Ary8?eb?3is1@iO9xcYM%Co^&ysf8t0aZsk?V z#Z6fv2w%KbwioZW6?4M1_JR<7rrjyL+-ndgv`-U+52~J;a3|ZVoG@A|3MJR#_v68- zijvxP2At=un0Ep!xE=qE7i5ubw&EvBBL!i?=i6?9hY_SYQPknk_7=R-q~W{2K}f59 zKvP-i;X121C?h4Y=+%mh6jsT_p13pYtX`Ilw}Db%!k2!EKm{JJ7`l2bz6~YXUa5!O z;Yu!#`w7CIuh}(_Tsv;|m+)wCWcsQ=JTzQUe$y%lrm(Mn!ecD|VQ7AAMYByxb{M`h zGSUr28_rKpduBtmp5|kimN>5w2Zt$}&5wjvoHPfBR=m{Lm&d6e>~whA^Pe75Wl|L&dZCv+ z0b-b65OE1NCWPZUKRvEHWJP*|B9!4BuU+*}i_A+ICmu$~*Gt)CI7gcnz)WEp10u6V3x?e%E~+c@2O<5~YF2ulLB|SlD#|TqsGLy(J{7VewrP&Wh}zlw)<| zU}bSHvQSyHi|WOByTOD$`S4_nlGIivT=mcoZSqtP!{QAW-uI+U!bQ#gf15=AT2^Cc zwMQz#M9>PMWdnubw()7*V1BgWO6J1k+0$;pb0x!JFx)deg~2c*cGv@)&`Qbl4v1~T z+OuDPtL^yNL2z5#3iBF|EsmZF0XV{1zu^sfJ8{B?PzQ9{tkW=b`fvg>d)ixz?m|0; z<7P(~&-+^rL6{zNE$l_!b9mmJju2e?g#n|MN;^IWdp;?hF^DCL)a%43wAzz&hX3Bb z;T-EEwiAq0dv z^40LvVZB^?1YS5%h|BK}Q^VK(r<+fWqN4$*2(rUc&hWR2R$sFd#2G63qGz7@#qhI* z^f?qmI4(M>Cm{||Mlo*X9K(C|q!VC9KG)F2EC}xJ=dHok*i26FDH4R6?|nL)dr%)M z;qEcPN(ooQbW|2!#=OK?&Ax*0#*hc?L0AOd8m-62fAdCt!W2ym!`htfrqpsP86W!{ zp%~D{%xAdfqvOjUA#r%i{ZO>t(*X=SlwB|U>(s7jAFeAOPJ|4Ic!{+n*%KlLp}U^Q zG912q^(@{|TU+>G6sW-`f|V!Y706iYj8j)&khN8e*90qXiYMdXcJ}Qu3g$*QuCnXN z5G1xhCp-o+Jm8bkn+ruPWYQ?Z1b9%Wn9uN9)u(Ill@^HsJx5O($8N3yj|&Wc`*qlA zHYN$Oh{~MIhr(cSRrVHK);xGfsh{s? zglf%If}I$Y$9H}LSI%$Fb>oo%PENQ96(5(qEsP7TZ*3*reMBu@Q)|Wb2}<*=Ob~>o zFXb=!P;n%L@ne~wcAF!52dIt3ms)#s;!JS36z4`PDSs z&za8Iy`XCCe>VNd?{G(g4#ztkd}9R6fl)>;`mUr$tHI1*a2tUK@xso|(e%ml&0q}!!>RVmlj#Z8>Gb?w~g&~4)`r5Hl zD0-zWhJ_2l-uNT8VAk4kV!9WuPPZ#cwxlaBk%i!PS(a@8mjxW;^*AvUvF8~JJ;OET z5AQ)?u=6q8t{XtyInnb} zT#%*MH45yitIGcXZ^%?;$ZkkZWS==#u_068mlH+V;Wsb5a$K96>mo*5yt7 zC`%ax?AdhS%@Kp}t}K@#{a#iwzLaC;{hAIM1eNpTiwaJ{3$o#IZlk=-55Ya!(DyAf z&S|4OilUui{zR-4tPGvj=d!b3oAi{gZm&#x{!W??4duoY}G&XJ_YdjtLMd zLq=dKPS1_!gcpBsfFoh>7Y|=4-ZR^AX-<32u?UPCe!0i{C)~M;T&f+6A zy*FRX(~y0$ZCPYXXVJa={;kU$T9uYL(_G1=PUo;BS4w%wu%yzo^whM{l(f_`m#f&F zTI?>)NE_yMM#me;uWm7t^e+&@$hs8KN+xHBA!KZ_xIgCqD}+2x7kf}RJW-`e${>z( zaf~`CA&G?LiJ^S)54YGdI<2&UhE#0k})hf$(@#zRF+igDoHOdbCsoJB&Da8 zB$XFa5M~mYoKQHfNlAcJqDu^qDNjo(P90WO>UO53rL** zNa9|tmR@ntS3XtE@#ntLp)Tog3lj81UrHQ(Bpu1=DMgTGx1^)- z{iRvjT|K4QIu-z#q9^*JB3*b%yGEpQ;`CFN&^1lEYwfA#pZer9Qg}_HCzWw})9j2! zEzM}uy`oj3_*nmh7CzM1s7Uo#wU?q4_L)BENH1WW0q+&l)5>Gp3sLyD@dahdX0{t~o20gJ;dWM*49cfb|g()`w zT__ycrX|%=Wp7p}Ci?3;a-B%3rpn>$+f3HKC7WqZmAp))|yQAKUGPjdZR3n%#SSr1o9L@(8p2;eRHrWmkTK+ zcau$8GN;hwT)YtSS2RY7Bi+wRDYPQUMAdX$KT}UFbvR6|v}C|?iqL>l*-;lH^S3pKrKIj$x34N^-|vDjiJ&AqK=(zwX7k#^{1U8<+O2Fqdo^t9Dn z?6bJiAkp%P=4&n33gT`qAZV^3k9RGt8ECEzq<@|L zZmu9cIh zSPiv*XdZ23riU@Ao?O0dN+I_yGq-dYPNbW`$LRf?&lvYP7 z@W%ayae+iO-IPqU=#F9XByu?snDWX{9&tArmlLww;zJ864Qoy0`b49XzMN=SUN zWa0>u51p{j&{6e&-3{Q=iol?d>6mkdQ{I0mA4G;WnEi;;Ej!8FN<%Ap&|v6d|BqP| z%xcn6Q1(qn)_l-+9@kk<3t060`y1RFuM1-)J;VpF`biW z&3?lGJB1M4@+OS~tettj==Mr$NCF*MW}OPQ!`P+C1FbNO1Fd?pWU^Hzk2b)_PJGq+jvp@uGIW#G zLc5)_c5n0d{KRl~=mBgwxoPoYiFwxid3|fH_*H^IY2{g z`La_>o-cw{3rUp6Yv~V%r8`FIT%?`EZxUZpQv>&ldyV$0mR%=)q;4gAcdOAh=>Gb) z(4#A~BSd9}!chk;+^D^3Ar~iUCA$0L+t8Efd-Rq{?fnG~nD(LrZy2Q4H;XA31;ZlGW~eh2y<7;d0pYWnCKwA(_SZATNy zu^Y%t3w}mvBAxaxG|)!#_n_UfLTWQd~1ed)Iawz+PCR5lZNU1u}Usi8LS zDE>|1`$+&9lvy2Av$zeHx4(N-D)#UUV6i4CUie9>y z;?bjDk0k|xXgR$eh^}WT0)cOghOX?3{M2;n3iLorU>!l5hoUa-pzoIrjyv6Ic1yp# YpFTZUSva@h!(WHN4;Z0CeqsLq07vg|6951J