Comment 2 for bug 550300

eMTee (realprogger) wrote :

Looks like the attached patch (by Big Muscle) solves the problem so the corrupted file can't go into the finished downloads folder anymore. However,
1. the wrong source kept in the queue resulting infinite redownload of the corrupted file.
2. a successful exploitation of this vulnerability needs that the source should not provide the full tiger tree so it may worth to rethink what to do when the full tree isn't available (there's also a resume problem in this case, explained at https://bugs.launchpad.net/dcplusplus/+bug/288756).?field.comment=Looks like the attached patch (by Big Muscle) solves the problem so the corrupted file can't go into the finished downloads folder anymore. However,
1. the wrong source kept in the queue resulting infinite redownload of the corrupted file.
2. a successful exploitation of this vulnerability needs that the source should not provide the full tiger tree so it may worth to rethink what to do when the full tree isn't available (there's also a resume problem in this case, explained at https://bugs.launchpad.net/dcplusplus/+bug/288756).