go-updater icon indicating copy to clipboard operation
go-updater copied to clipboard
verified publisher icon keybase

If Etag match, also check digest if required

Open gabriel opened this issue 5 years ago • 2 comments

If there is an ETag match, we return before digest check. I don't think this is a security issue since the digest was already checked if the destination path exists but we might as well check the digest if specified?

gabriel avatar Mar 03 '20 23:03 gabriel

Hi! Thanks for the PR, can you fill me in on what the higher level goal is? Is it that your client has been downloading updates for no good reason (repeatedly?) and not applying them? If so there might be another bug to investigate.

maxtaco avatar Mar 05 '20 22:03 maxtaco

Oh I was thinking about making a generic version/fork of this updater I could use in another project, and while I was poking around, noticed this scenario with etags and digests. I didn't encounter any bugs or weirdness or anything.

It seems like doing the digest check even if the etag matches is the correct behavior, even if in the keybase scenario that code path is never used? Basically when I looked at it, it seemed like an oversight on my part and I should mention it.

gabriel avatar Mar 06 '20 03:03 gabriel