diff options
author | Jay Berkenbilt <ejb@ql.org> | 2022-04-30 19:52:23 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2022-04-30 20:15:07 +0200 |
commit | ce19471f180d764bbcf5990dea5f60d4cd217dc7 (patch) | |
tree | 13bb4945e85d83c38b993ee3312fc1c5708ae4f9 | |
parent | c365a26e9df84b196eb015a0c82557fd12484da1 (diff) | |
download | qpdf-ce19471f180d764bbcf5990dea5f60d4cd217dc7.tar.zst |
Add comments around non-security-related uses of MD5
-rw-r--r-- | include/qpdf/QPDFEFStreamObjectHelper.hh | 8 | ||||
-rw-r--r-- | libqpdf/QPDFEFStreamObjectHelper.cc | 2 |
2 files changed, 7 insertions, 3 deletions
diff --git a/include/qpdf/QPDFEFStreamObjectHelper.hh b/include/qpdf/QPDFEFStreamObjectHelper.hh index b39b6a7a..7c943453 100644 --- a/include/qpdf/QPDFEFStreamObjectHelper.hh +++ b/include/qpdf/QPDFEFStreamObjectHelper.hh @@ -57,9 +57,11 @@ class QPDFEFStreamObjectHelper: public QPDFObjectHelper // Subtype is a mime type such as "text/plain" QPDF_DLL std::string getSubtype(); - // Return the MD5 checksum as stored in the object as a binary - // string. This does not check consistency with the data. If not - // present, return an empty string. + // Return the checksum as stored in the object as a binary string. + // This does not check consistency with the data. If not present, + // return an empty string. The PDF spec specifies this as an MD5 + // checksum and notes that it is not to be used for security + // purposes since MD5 is known not to be secure. QPDF_DLL std::string getChecksum(); diff --git a/libqpdf/QPDFEFStreamObjectHelper.cc b/libqpdf/QPDFEFStreamObjectHelper.cc index 5810cf37..cbfe47a3 100644 --- a/libqpdf/QPDFEFStreamObjectHelper.cc +++ b/libqpdf/QPDFEFStreamObjectHelper.cc @@ -139,6 +139,8 @@ QPDFEFStreamObjectHelper::newFromStream(QPDFObjectHandle stream) stream.getDict().replaceKey( "/Type", QPDFObjectHandle::newName("/EmbeddedFile")); Pl_Discard discard; + // The PDF spec specifies use of MD5 here and notes that it is not + // to be used for security. MD5 is known to be insecure. Pl_MD5 md5("EF md5", &discard); Pl_Count count("EF size", &md5); if (!stream.pipeStreamData(&count, nullptr, 0, qpdf_dl_all)) { |