Sparkle Vulnerability
42 views
Skip to first unread message
Patrick Robertson
Feb 10, 2016, 7:55:57 PM2/10/16
to quicksilver---development
Since we’re not using Sparkle for actually downloading anything from the server, and since we’re now using HTTPS I’m pretty sure we’re fine, but I just thought I’d post this here for everyone to see and check it over if they like:
We use a couple of Sparkle classes (see the ‘Sparkle’ group under ‘Code-External’) mainly for just moving a newly-downloaded update into place (if I remember correctly: because it can correctly prompt for a password if admin rights are needed to move the file, whereas we couldn’t in the past). See NSApplication_BLTRExtensions.m: -moveToPath:fromPath
Patrick Robertson
Feb 10, 2016, 8:01:17 PM2/10/16
to quicksilver---development
Having said that, we should probably add some kind of SHA256/MD5 check to the download stage to verify the downloaded file. What do you think?
Rob McBroom
Feb 11, 2016, 9:29:34 AM2/11/16
to quicksilver---development
On 10 Feb 2016, at 20:01, Patrick Robertson wrote:
> Having said that, we should probably add some kind of SHA256/MD5 check
> to the download stage to verify the downloaded file. What do you
> think?
Maybe. But if you’re getting the MD5 sum from the same server the file
> Having said that, we should probably add some kind of SHA256/MD5 check
> to the download stage to verify the downloaded file. What do you
> think?
comes from, and you don’t trust that server…
--
Rob McBroom
http://www.skurfer.com/
Reply all
Reply to author
Forward
0 new messages