-
-
Notifications
You must be signed in to change notification settings - Fork 825
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add hook for validating checksum #20858
Conversation
(Standard links)
|
Sounds good. A couple thoughts:
|
Yeh I tend to agree with Dave D here and his assessment of this, I have just been thinking that this potentially could open a security hole if someone just caused it to return valid for any checksum no matter what. So my thinking is that we should be only allowing an extension to invalidate a checksum rather than overriding the ttl / other checksum validation stuff. On the other hand that would be kind of a user beware of what your adding to your system issue if we did allow extensions to just by-pass the validation of the checksum. |
@seamuslee001 @demeritcowboy My use-case is a blacklist of "compromised" checksums so a "invalidate-only" hook would be fine for my use-case. The only other hook that "returns" a value is So we could just pass a |
I think you're both right. So then the hook should be called "invalidateChecksum" or "invalidChecksumList" or something clear that that's all you can do. |
@mattwire @demeritcowboy I think that makes most sense to me, and if the value is true then return an error back without doing the additional validation |
df8b089
to
48886a8
Compare
See unit test at #20973 |
Overview
Checksums are not stored anywhere in the database (they are calculated at time of creation and time of use). This causes problems because there is no way to "invalidate" a checksum that was made available by mistake (eg. hardcoded in an email).
This PR proposes adding a hook that can be called to override/modify the checksum validation.
Before
No way to override checksum validation.
After
Can be overridden via hook - eg.
Technical Details
Comments
@seamuslee001 @petednz @demeritcowboy What do you think?