diff --git a/include/class.attachment.php b/include/class.attachment.php
index 10159f5e82842892398a9de147534e2807cc3b09..c605b7ca03d6ed8e0d5a4818d110b4ba16df7307 100644
--- a/include/class.attachment.php
+++ b/include/class.attachment.php
@@ -171,7 +171,6 @@ class GenericAttachments {
$attachments = array();
foreach ($this->attachments as $a) {
if ($a['inline'] != $separate || $a['inline'] == $inlines) {
- $a['key'] = md5($a['id'].session_id().$a['key']);
$a['file_id'] = $a['id'];
$attachments[] = $a;
}
diff --git a/include/class.faq.php b/include/class.faq.php
index d009d58c3bce290d758fa05edeb12b3872c938e9..09d5b2dcb0280e1e39c31ff322d2247d19d6c5a5 100644
--- a/include/class.faq.php
+++ b/include/class.faq.php
@@ -195,7 +195,7 @@ class FAQ {
if(($attachments=$this->attachments->getSeparates())) {
foreach($attachments as $attachment ) {
/* The h key must match validation in file.php */
- $hash=$attachment['hash'].md5($attachment['id'].session_id().$attachment['hash']);
+ $hash=$attachment['key'].md5($attachment['id'].session_id().strtolower($attachment['key']));
if($attachment['size'])
$size=sprintf(' <small>(<i>%s</i>)</small>',Format::file_size($attachment['size']));
diff --git a/include/class.file.php b/include/class.file.php
index a2944c9db95ab97a86d7e05fdc8de547c1b57307..902eaf2eaec83f32eeda2d23e614fe0051dee0ac 100644
--- a/include/class.file.php
+++ b/include/class.file.php
@@ -112,7 +112,8 @@ class AttachmentFile {
* download this file
*/
function getDownloadHash() {
- return strtolower($this->getKey() . md5($this->getId().session_id().$this->getKey()));
+ return strtolower($this->getKey()
+ . md5($this->getId().session_id().strtolower($this->getKey())));
}
function open() {
diff --git a/include/staff/cannedresponse.inc.php b/include/staff/cannedresponse.inc.php
index d82baad74ffb9a98cd6dc494f3ab4ce9ae55c8fb..a14beb43a983548997e2e02945bc410d246d709e 100644
--- a/include/staff/cannedresponse.inc.php
+++ b/include/staff/cannedresponse.inc.php
@@ -87,7 +87,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
if($canned && ($files=$canned->attachments->getSeparates())) {
echo '<div id="canned_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
foreach($files as $file) {
- $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
+ $hash=$file['key'].md5($file['id'].session_id().strtolower($file['key']));
echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
<a href="file.php?h=%s">%s</a> </label> ',
$file['id'], $file['id'], $hash, $file['name']);
diff --git a/include/staff/faq.inc.php b/include/staff/faq.inc.php
index 8b390c3de8d43762ce79f5560d07486e2c8bc636..8f412bdb69d27a4461dad20cd1f43aebe14b723a 100644
--- a/include/staff/faq.inc.php
+++ b/include/staff/faq.inc.php
@@ -101,7 +101,7 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
if($faq && ($files=$faq->attachments->getSeparates())) {
echo '<div class="faq_attachments"><span class="faded">Uncheck to delete the attachment on submit</span><br>';
foreach($files as $file) {
- $hash=$file['hash'].md5($file['id'].session_id().$file['hash']);
+ $hash=$file['key'].md5($file['id'].session_id().strtolower($file['key']));
echo sprintf('<label><input type="checkbox" name="files[]" id="f%d" value="%d" checked="checked">
<a href="file.php?h=%s">%s</a> </label> ',
$file['id'], $file['id'], $hash, $file['name']);
diff --git a/scp/file.php b/scp/file.php
index 4ccc3b828c04f240de799714319781974a0353bd..9d6518d0ae4f4d53656389503bb83c71682a8963 100644
--- a/scp/file.php
+++ b/scp/file.php
@@ -23,7 +23,7 @@ $h=trim($_GET['h']);
//basic checks
if(!$h || strlen($h)!=64 //32*2
|| !($file=AttachmentFile::lookup(substr($h,0,32))) //first 32 is the file hash.
- || strcasecmp(substr($h,-32),md5($file->getId().session_id().strtolower($file->getKey())))) //next 32 is file id + session hash.
+ || $file->getDownloadHash() != $h) //next 32 is file id + session hash.
die('Unknown or invalid file. #'.Format::htmlchars($_GET['h']));
$file->download();