Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Huge Bug: sha-1 hash is missing one character #104

Closed
dnknn opened this issue Feb 6, 2021 · 1 comment
Closed

Huge Bug: sha-1 hash is missing one character #104

dnknn opened this issue Feb 6, 2021 · 1 comment

Comments

@dnknn
Copy link

dnknn commented Feb 6, 2021
edited

When I was comparing, kept prompting errors, and I was curious.After further comparing with the local hash tool, I found that the file itself was no problem.It was crxviewer that brought the wrong sha1 value.

actual sha1 value (40 digits) 765c4366dc2ac43e4f2b1b8525160f5c9c08b26e
crxviewer sha1 value (39 digits) 765c4366dc2ac43e4f2b1b852516f5c9c08b26e

Obviously, one character 0 is missing. I am curious why it is missing a character, I have also tested, other file Hash are fine, only sha1 has a problem with the hash type.

Specific steps:

  1. extension (EXIF QuickView)
    https://chrome.google.com/webstore/detail/kjihpkahhpobojbdnknpelpgmcihnepj

  2. chrome-extension://jifpbeccnghkjeaalbbjmodiffmgedin/crxviewer.html?crx=kjihpkahhpobojbdnknpelpgmcihnepj

  3. 🔍 content\.js$

image

So, can you investigate and see if there are hidden dangers that cause sha-1 hash calculation errors?
@Rob--W
Copy link
Owner

Rob--W commented Feb 8, 2021

Thanks for the report. This was due to an incorrect bound check; < should be <= at

crxviewer/src/lib/modern-crypto.js

Line 20 in e150056

if (b < 0xF) s += '0';

@Rob--W Rob--W closed this as completed in 603e4fc Feb 8, 2021
JustOff pushed a commit to JustOff/esrc-explorer that referenced this issue Feb 22, 2021
@Rob--W @JustOff
Fix incorrect 0-padding for hash calculation
9ecef75 
Fixes Rob--W#104
Rob--W added a commit that referenced this issue Mar 28, 2022
@Rob--W
Version 1.6.12
dde770e 
- Rely on CORS instead of work-arounds for public XPI files from AMO (#92)
- Add work-around for crx access in Brave (#91)
- Support source viewing of extensions from Microsoft Edge (#95)
- Remove web_accessible_resourced to avoid UUID leak (#100)
- Correct 0-padding of hashes (#104)
- Update jsbeautifier to v1.14.0 (#110)
- Support source viewing of extensions from Thunderbird (#111)
- Fix domain front of AMO in Firefox add-on (#115)
- Recognize CRX3 files served by addons.opera.com (#118)
- Opera only: Add work-around to access addons.opera.com (#119)
- web only: Add crx keyword to input field for keyword search (#99)
- web only: Avoid breakage of web version when an extension runs a script (#113)
- Refactor: remove unsupported declarativeWebRequest path
- Refactor: Use declarative page actions to show button.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rob--W @dnknn