Reduce time information leakage of file uploads and file downloads #3305
Conversation
ghost
changed the title
Codecov Report
@@ Coverage Diff @@
## develop #3305 +/- ##
========================================
Coverage 85.76% 85.76%
========================================
Files 34 34
Lines 2157 2157
Branches 238 238
========================================
Hits 1850 1850
Misses 250 250
Partials 57 57Continue to review full report at Codecov.
|
|
Yep @heartsucker, i agree. Maybe a full retesting of the zip archive for both the single file and the bulk archive |
There was a problem hiding this comment.
Thanks @evilaliv3 for the fix! Changes look good to me. I can confirm this strips the compression time on the submission's gzip archive.
On develop:
$ file 1-iridescent_cheapskate-doc.gz
1-iridescent_cheapskate-doc.gz: gzip compressed data, was "file.txt", last modified: Mon Apr 30 14:01:02 2018, max compression
On this branch:
securedrop$ file 1-infectious_carpentry-doc.gz
1-infectious_carpentry-doc.gz: gzip compressed data, was "file.txt", max compression
I agree with @heartsucker that adding a test to ensure the time is properly stripped is a good idea, but will defer to @redshiftzero on if this is required for merge.
|
Let's merge this and then add additional testing - both changes should get backported into 0.7.0 |
There was a problem hiding this comment.
I've created #3329 to implement at a later time. Thanks @evilaliv3 !
The proposed fix together with the existing implementation performed for ticket #301 should be enough to avoid complete leakage of the file upload date.
Fixes #3304