SignatureVerificationInterceptor not accepting huge payloads
simonroesch opened this issue · 0 comments
simonroesch commented
Currently, SignatureVerificationInterceptor is checking only the first 64MB (PEEK_MEMORY_LIMIT) of a server reply but accepting the whole data, which allows appending data that is unchecked.
This is very low risk, as we are far form generating 64MB files and one needs a correctly signed payload of exactly 64MB size to be able to append additional data. Correctly signed payloads of more than 64MB size would be rejected, because the content hash would not match.